OAuth 2.0 for native apps

Question

Hi,

How a native app (a desktop application) can implement and use the Authorization flow without having to know/use the app's secret?

Quoting from here:

"The current industry best practice is to use the Authorization Flow while omitting the client secret, and to use an external user agent to complete the flow."

The browser of the system can be this "external user agent", but all the examples that I could find for the Java SDK (as this one) need the app-info file with the secret populated in order to work. I have tried having the secret empty or null but the authorization fails at the end with the following error:

Error in DbxWebAuth.authorize: {"error": "invalid_client: Invalid client_id or client_secret"}

Is implicit grant the only way to go?

Greg-DB · Accepted Answer

Yes, for client-side apps, you should use the "implicit" a.k.a. "token" flow. This is the version of the Dropbox OAuth app authorization flow that does not require use of the app secret.

The DbxWebAuth class in the official Dropbox API v2 Java SDK is only built for web apps though, and does not support the implicit flow. I'll pass this along as a feature request, but I can't promise if or when that might be implemented though.

There is a special flow built for Android though, in case you're running on Android. Otherwise, you'll need to implement the implicit flow directly.