New Dropbox API Updates

Question

Hello @Greg-DB

I received an email from Dropbox - Action Required: Important Dropbox API Updates.

I have an existing Dropbox app that uses old way of scopes/permissions and long-lived access tokens.
What changes do I need to do on the following 2 Dropbox API updates ?

------------------------------------------------------------------------------------------------------------------------------
1. As a reminder, on September 30th, 2021, the Dropbox OAuth flow will no longer return new long-lived access tokens. 
It will instead return short-lived access tokens, and optionally return refresh tokens. Existing tokens are not impacted.

Apps that require background access will need to update their code to use refresh tokens, which is made easier by using our updated SDKs. 
All other apps should ensure that users are directed to re-authorize upon token expiration.
---------

Qs 1A) I have an existing app that stores long-lived access token in the database by asking users to do one-time authroization.
Do I need to migrate these customers to short-lived access tokens or will the old long-lived access tokens work ?

Qs 1B) For new customers, what design changes are required to be done by me ?
Do I need to store both short-lived tokens and refresh token or just refresh token in database ?
What is the life time of refresh token ? What happens wehn the refresh tokens expire ?
In case refresh token expires, do I need to re-authorize users to get new short-lived access token and refres tokens ?
Ideally I want to just ask users to sign-up/authorize once.
-------------------------------------------------------------------------------------------------------------------------------

2. The Dropbox API now supports more granular permission scopes. 
While you review your application’s OAuth flow, be sure to check for scopes that may not be required.

Qs 2A) I have existing users who have granted permissions using the old way.  Are these impacted ?

What about new users - do I need to modify scopes/permissions for my Dropbox App or will my App be automatically be updated to new scopes.

Thanks,
Gagan

Greg-DB · Accepted Answer

1A) The creation of new long-lived access tokens is now considered deprecated, but we don't currently have a plan to disable existing long-lived access tokens. (If that changes, we will of course announce that ahead of time.) That being the case, you can continue using existing long-lived access token(s). You do not need to have these existing users re-authorize the app.

1B) For new users, you should use the new short-lived access token and refresh token functionality. You can find more information in the OAuth Guide and authorization documentation. You do not technically need to store the short-lived access tokens, only the refresh tokens, since you can use the refresh tokens to get new short-lived access tokens on demand.

Refresh tokens do not expire by themselves, unless/until revoked, e.g., by the app or user. If a refresh token is revoked, you should send the user through the authorization flow to get a new one, if they wish to continue using the integration. (This is just like with revoked long-lived access tokens.)

2A) Migrating to scopes does not impact existing access tokens. Existing access tokens will continue to have whatever permission they were originally granted.

You should migrate your app to scopes and select only the scopes needed for your app. You can migrate your app using the "Permissions" tab of the app's page on the App Console. You can see which scope is required for each endpoint in the API documentation.