Child Item

Getting wrong access token

Hi Team,

We have a web application in which we asks users to provide App Key and App Secret. After that we generate the access token and proceed ahead with our logic.

Recently, we faced a weird issue, we obtained App Key and App Secret from the app created in Dropbox X.

We opened up the web application in a browser where we are logged into a Dropbox Y account.

Now, while authorizing through the obtained App Key and App Secret which is from Dropbox X, it gives the access token of the App created in Dropbox Y.

Could you please help us with what could be wrong?

We are using /oauth2/authorize to obtain the access token.

Thanks in advance for your help!

Regards,

Sam

Find more posts tagged with

Developers

Comments

Greg-DB

Thanks for the report. If I understand your message correctly though, this is the expected behavior, but please let me know if I've misunderstood or misread your message.

The account that "owns" an API app (and correspondingly owns its app key and secret), that is, the account that registered that API app, is not necessarily going to be the same as the account that any particular access token for that app allows access to.

Put another way:

app key and secret: identify a particular app, and each app is "owned" by one account, but do not themselves enable access to any account
access token: identifies a particular app and user pair, but the user is not necessarily the same as the app owner above

So, regardless of who registered the app in the first place, the resulting access token is going to be connected to the account that was signed in and authorized the app on the /oauth2/authorize page.

One potential point of confusion here is where you said "it gives the access token of the App created in Dropbox Y.". Do you mean that Dropbox Y also registered an API app, and that the resulting access token is for that app? If so, how are you checking that? The access token in this scenario should be for Dropbox account Y, but for the app owned by Dropbox account X.

By the way, we generally don't recommend having users register their own apps to get their own app keys and secrets. You as the developer of the app should just do that once per app, and use the resutling app key and secret in your app, in order to get access tokens for any end-users using your app. (Once in production mode, a single app can be used by any number of users.)