0

I'm new to OAuth, and it took me a while to find out that I had to put "Authorization: Bearer {{my access token here}}". So I was hoping to ask this question.

I open this link in a tab every time my add-on starts:

'https://www.dropbox.com/1/oauth2/authorize?client_id=' + authParam_client_id + '&response_type=' + authParam_response_type + '&redirect_uri=' + authParam_redirect_uri + '&force_reapprove=' + authParam_force_reapprove + '&disable_signup=' + authParam_disable_signup;

However is there an easier way, as once the user allowed my app for first time, then I shouldn't have to open tab for him to click that allow button right?

Oh aside: Where is this auth bearer thing documented?

Thanks guys!

Improve this question

1 Answer 1

Reset to default
1

First, just for the sake of clarity, note that everything in your question is specifically about OAuth 2. There was also a previous specification called OAuth 1. The Dropbox Core API (v1) supports both OAuth 1 and OAuth 2, with OAuth 2 being preferred. Dropbox API v2 only supports OAuth 2.

As far as documentation is concerned, the actual documentation for OAuth 2 itself is the official spec, available here:

https://www.rfc-editor.org/rfc/rfc6749

For the Dropbox OAuth 2 endpoints in particular, the documentation is here:

https://www.dropbox.com/developers/core/docs#oa2-authorize

There's also a useful blog post here:

https://www.dropbox.com/developers/blog/45/using-oauth-20-with-the-core-api

In addition, there's a more general guide here:

https://www.dropbox.com/developers/reference/oauthguide

Once you have an access token for a user, you can store and re-use that access token. Dropbox OAuth 2 access tokens don't expire by default (though the user or app can manually revoke them), so your app can just re-use the existing access token for a user as necessary, without sending them through the app authorization flow each time.

The access token is just a string, so you can store it using whatever data persistence method is available to your app. Access tokens are very sensitive pieces of information though, so be sure to secure them with whatever means available and necessary for your app.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Ah I see. Thanks very much, so through that auth flow clicking that allow button is the only way to get the token, i just have to persist it, and if i come up with bad token, I have to send them to allow page again? Thanks very much for replying even though mine was oauth specific. Ill check those links that blog is spectacular and i think exactly what i was looking for!
That's correct, if an access token is revoked, subsequent API calls will fail with a 401 error code, at which point your app would have to prompt the user to re-authorize the app if they want to use it again so it can get a new access token.
Ah perfect thanks for that! I was wondering how to detect bad token! Thanks!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.