Child Item

Using refresh token without client secret

I am using the PKCE flow for my electron based desktop & web app app and am trying to migrate for the new short lived tokens everywhere flow. I am able to get a refresh token by providing

token_access_type=offline

Now I am wondering how I can request a new accessToken without exposing my APP_SECRET (https://www.dropbox.com/developers/documentation/http/documentation#oauth2-token).

Is there a way to do so?

Find more posts tagged with

API

Abuse

Accepted answers

Greg-DB

Yes, the PKCE flow in particular is a version of the OAuth 2 authorization flow that doesn't require the app secret, meant for client-side apps where an app secret can't be kept secret. It does so by using a 'code_challenge' on the /oauth2/authorize step and corresponding 'code_verifier' on the following /oauth2/token step, instead of the app secret. Likewise, it does not require the app secret when performing a refresh call. You can find more information in the OAuth Guide and authorization documentation.

Specifically, the /oauth2/token request using a refresh token that was retrieved via the PKCE flow to get a new short-lived access token without using the app secret would look like this:

curl https://api.dropbox.com/oauth2/token \
    -d refresh_token=<REFRESH_TOKEN> \
    -d grant_type=refresh_token \
    -d client_id=<APP_KEY>

All comments

Greg-DB

Specifically, the /oauth2/token request using a refresh token that was retrieved via the PKCE flow to get a new short-lived access token without using the app secret would look like this:

curl https://api.dropbox.com/oauth2/token \
    -d refresh_token=<REFRESH_TOKEN> \
    -d grant_type=refresh_token \
    -d client_id=<APP_KEY>

johannesjo

Thanks for the quick response. Unfortunately this leads to an `invalid_request` error (400):
```

The request parameters do not match any of the supported authorization flows. Please refer to the API documentation for the correct parameters.

```

johannesjo

Never mind! I had the wrong Content-Type header set. Seems to work fine now. Thank you very much!

Maybe this should be added to the documentation under the examples section?

Greg-DB

Thanks for following up. I'm glad to hear you got this working.

Yes, I've asked the team to add that example to the documentation.