Child Item

.NET API - Authorization issue

Hi all,

We have an app that relies on the business API. It creates groups, members, team folders, etc. As a team administrator, I can run it and it's working properly. My problem is that the targeted users are not able to run it. They receive an error message during the authentication flow saying that they need to be team administrator to allow the app to run. But in real life, they DO have access to the administration interface on the web, using their own dropbox account. And they can do manually all the exact same operations conducted by the app. For what I understand, they have all the required permissions, but because they are not technically "team admin", the application won't run.

For testing purposes, I created a mini-app only requiring the "groups.write" permission in the Team Scopes section. All my users have this permission because they do manage groups in their everyday life. But again: they are not team admin and can't run this (very limited) app.

Giving these users a full admin access is not an option for the top management (I've asked). I was told that they have sufficient rights and that the application should use only their current rights. Did I miss something? And if not, what is the workaround?

Thanks for your help!

Ghislain

Find more posts tagged with

Comments

DB-Des

Hi @Ghislain Sommervogel,

Only team admins are able to authorize apps with team scopes enabled. If you want to allow non-admins to connect to an app with team scopes enabled, you can request individual-only scopes by adding the necessary scopes in the scope parameter when constructing the Authorization URL.

Alternatively, if your app does not need team scopes, you can configure this by disabling the team scopes entirely from the app's Permissions settings from within the App Console. Just as mentioned above, if an individual-only scoped app will sometimes need to use team scopes, you can specify which scopes to request by setting the particular set of scopes in the scope parameter when constructing the Authorization URL.

I hope you find this information helpful!

Ghislain Sommervogel

Thank you for this information. But it's really hard to find out how to implement the scopelist parameter with the .NET SDK. I was unable to find working examples on the internet. Anyway, I decided to change the approach. We will use a generic admin user in conjonction with a refresh token, so that the users don't have to approve the app with their own rights.

Best regards,

Ghislain

Ghislain Sommervogel

Just to be more explicit on the difficulty I met with your suggestion: when some team scopes are being left checked in the application permission page, I keep on receiving error messages telling me I must be team admin to authorize the app. When I uncheck all the team items and provide a scope list, I get an error 400 as follows:

-------------------------------------------------------------------------

It seems the app you were using submitted a bad request. If you would like to report this error to the app's developer, include the information below.
More details for developers

No scope requested can be granted for this app.

-------------------------------------------------------------------------

When I search for information about this error message, I find that I need to declare all the scopes in the settings. It's a vicious circle!

Greg-DB

@Ghislain Sommervogel Thanks for following up. I'm sorry to hear about the difficulty you've had configuring this. So that we can take a closer look at this error and offer some help, can you share the full URL of the page showing this error?

Ghislain Sommervogel

Hi Greg, yes, sure:

https://www.dropbox.com/oauth2/authorize?response_type=token&client_id=qh66b8nksm8ygyl&redirect_uri=http%3A%2F%2F127.0.0.1%3A52475%2Fauthorize&state=87bcd8a3f6ea440496a9fc373a776c27&token_access_type=legacy&scope=groups.write

But don't spend too much time on this, because - as I said - we switched to another approach. I ran into a new problem with the refreshtoken setup, but I will expose it in a new thread.

Have a nice evening!

Ghislain

Greg-DB

Thanks! Yes, to confirm, this URL is requesting only the "groups.write" scope, via the "scope=groups.write" parameter, but the app for that client_id doesn't currently have "groups.write" enabled, so this request can't be serviced, and accordingly this error is returned. To avoid this error, you would need to either not request this scope in the URL, or enable this scope on that app (which may involve enabling other scopes it depends on).

Ghislain Sommervogel

Hi Greg, I agree but when I enable this scope in the app, the user is then required to be team admin to authorize the app. That is where the vicious circle stays.