Child Item

App authorization drops out after inactive period?

I noticed that some subset of my users' authorizations become invalid after some time and I do not believe that the users explicitly revoke my Application access. Is it possible that the authorization is revoked after the application folder has been idle/without modifications for some time (e.g. after a year or two)? If that is the case, is there any way to prevent this from happening? Note that I'm not talking about short lived access tokens here (which are marked as "token expired" error - these are addressed with refresh tokens and work fine). What I'm seeing is a more permanent failure ("invalid token"). These users have static files in the app folder for read access by the application.

As a workaround I'm sending an email to users once a year or so and ask them to re-authorize the app.. But there is probably a better way to handle that.

Find more posts tagged with

API

Abuse

Comments

Greg-DB

By default, Dropbox API authorizations for your app don't become invalid and yield 'invalid_access_token' by themselves, but there a number of different ways that a Dropbox API access token can become invalid, including:

the user (or team admin) can revoke all access tokens for an app by unlinking it on any of the following Dropbox web pages:

the Connected apps page
the Security checkup page
the Team apps page on the Settings section of Business Admin console (for team-linked apps)
the team member’s page on the Members section of the Business Admin console

any client with the access token can revoke the access token by calling /2/auth/token/revoke
the GitHub-Dropbox token scanning partnership can revoke access tokens found publicly posted on GitHub
if the app uses the "app folder" access type, the access token can effectively be disabled by deleting the app folder itself in the Dropbox account, via the Dropbox website or any client
the app can be disabled
the account that owns the app can be disabled
the connected account/team can be disabled

jjsk

Thank you for the info. Does the user account itself become inactive after a while? Lets say a user signed up for the app, authorized the folder with some content (in my case they are sound samples) and then logged off and never logged back in... Would user's inactivity at the dropbox site eventually put them in some sort of a dormant or archived state? I can't think of a likely reason for losing access from the ones you listed above.. thanks.

Greg-DB

Yes, inactive accounts may be automatically disabled after a long period of time. You can find information on that here.

It sounds like your app uses "app folder" access though, so it may be likely that some users are accidentally deleting the app folder, since that can be done from any connected client or the web site.

In any case, if the Dropbox API doesn't appear to be working as expected, feel free to contact support by opening an API ticket with some samples and we can look into it.

jjsk

I see this makes more sense now. I appreciate the explanation. One last question : if my app makes some io to the app folder (eg. saves a new file) would that be sufficient to maintain access and prevent an account from idle deactivation?

I suspect that some of my users, even though interested in sharing, simply forget about their account once they published the files. They continue to access the files via a separate search web site which uses the token to retrieve the files on demand and after a year or two suddenly no longer able to access them.

Greg-DB

Yes, according to the article, activity is based on "sign-ins, file shares, and file activity (adding, editing, or deleting)", so that should work.