Child Item

Qt OAuth get refresh token

Hi,

I try to get my refresh token after going throw the basic authentification flow with PKCE.

Here my code :

connect(m_auth, &QAbstractOAuth2::authorizationCallbackReceived,[=](const QVariantMap data){
  if (false == data.isEmpty())
  {
     QString authCode = data.value("code").toString();
     if(!authCode.isEmpty())
     {
        qDebug() << authCode; //GOT an authentification Code
        QVariantMap parameters;
        parameters.insert("code", authCode);
        parameters.insert("grant_type","authorizatioon_code");
        parameters.insert("client_id",apiKey);
        parameters.insert("client_secret",apiSecret);

        QNetworkReply *reply = m_auth->post("https://api.dropboxapi.com/oauth2/token",parameters);
        connect(reply, &QNetworkReply::finished,this,&MyClass::getRefreshToken);
     }
  }
});

void MyClass::getRefreshToken()
{
    auto reply = qobject_cast<QNetworkReply*>(sender());
    Q_ASSERT(reply);

    const auto data = reply->readAll();
    qDebug() << "data " << data;
}

I got this error :

"{\"error\": \"invalid_request\", \"error_description\": \"Can't use \\\"Authorization\\\" header and \\\"client_secret\\\" arg together.\"}"

Find more posts tagged with

API

Abuse

Accepted answers

Greg-DB

Please note that when calling /oauth2/token, you should not include an access token. The /oauth2/token endpoint can be used to exchange an authorization code for an access token and optional refresh token, or to use a refresh token to get a new access token. It does not itself expect or accept an access token as input. When calling /oauth2/token, the "Authorization" header is a way to supply the app key and secret, as an alternative to the client_id and client_secret parameters. You can find more information in the documentation for /oauth2/token, as well as this blog post which contains a useful example.

You should only set the redirect_uri parameter on /oauth2/token if you used a redirect_uri on /oauth2/authorize when retrieving the authorization code, and if so, it must exactly match that redirect_uri value.

All comments

Greg-DB

This error message is indicating that the request contained both an "Authorization" header as well as the client_id and/or client_secret parameter. While Dropbox accepts the app key and secret in either, you should only use one or the other. That is, the request needs to contain either only the "Authorization" header or only the client_id and client_secret parameters.

In your code, I see you are setting the "client_id" and "client_secret" parameters. I don't see you explicitly setting the "Authorization" header, so it looks like you're either setting it in some other version or part of the code not shown here, or it's being set by your network client automatically. Either way, you'll need to debug that you make sure you only set one or the other. We can't provide support for Qt/QNetworkReply in particular though, as it's not made by Dropbox.

By the way, you have a typo in "authorizatioon_code"; it should be "authorization_code".

sarahModulo

In postman I have the same issus if I set an Access Token in Authorization part.

Here the post request "https://api.dropboxapi.com/oauth2/token?code=<AuthorizationCode>&grant_type=authorization_code&client_id=<api_id>&client_secret=<api_secret>"

error

{

"error": "invalid_request",

"error_description": "Can't use \"Authorization\" header and \"client_secret\" arg together."

}

if I remove client_id and client_secret from the post request

post request : "https://api.dropboxapi.com/oauth2/token?code=<AuthorizationCode>&grant_type=authorization_code"

error

{

"error": "invalid_request",

"error_description": "The request parameters do not match any of the supported authorization flows. Please refer to the API documentation for the correct parameters."

}

If I remove my Access Token in Authorization part

with post request "https://api.dropboxapi.com/oauth2/token?code=<AuthorizationCode>&grant_type=authorization_code&client_id=<api_id>&client_secret=<api_secret>"

error

{

"error": "invalid_grant",

"error_description": "redirect_uri mismatch"

}

But Callback URL is the one I set in my dropBox Api... Should I put an other redirect_uri ? And which one ? And where should I set it ? In Param section or Authorization section ?

Greg-DB

Здравко

@sarahModulo wrote:
...
...
        QNetworkReply *reply = m_auth->post("https://api.dropboxapi.com/oauth2/token",parameters);
...
I got this error :
"{\"error\": \"invalid_request\", \"error_description\": \"Can't use \\\"Authorization\\\" header and \\\"client_secret\\\" arg together.\"}"

Hi @sarahModulo,

Yes, that's normal. The post method you're using implies authentication (i.e. includes 'Bearer' authentication). You are doing something the class you're using already implements. 😉 You're repeating in your code something already done! This explains the received error message. Read the documentation with bit more care.

Use the same post method to only call all regular API calls (i.e. the calls intended to use 'Bearer' authentication), not to call intended to receive any kind of token (as you are using incorrectly now).

Hope this gives direction.