We Keep Coding

Getting a new refresh token when using one to get an access token dropbox v2 api

In Refresh token is not returned from Dropbox API when using grant_type=refresh_token
The poster asks why he's not getting a new refresh token when using the new dropbox v2 api.
The answer is that it's not needed. Refresh tokens don't expire from dropbox unless revoked.
Is that still the case? I'm reading in https://developers.dropbox.com/oauth-guide
That "When using refresh tokens, your call to the /oauth2/token endpoint with the grant_type of authorization_code will return a new short-lived access token and a new refresh token, which should be securely stored."
But I'm still not seeing a refresh token when I use one to get an access token.
Request:
POST https://api.dropbox.com/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.dropbox.com
Content-Length: 363
Expect: 100-continue
Connection: Keep-Alive
refresh_token=<TOKEN>&grant_type=refresh_token&client_id=<ID>&client_secret=<Secret>&scope=account_info.write+account_info.read+files.metadata.write+files.metadata.read+files.content.write+files.content.read+sharing.write+sharing.read+file_requests.write+file_requests.read+contacts.write
Response
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/javascript
Date: Thu, 29 Apr 2021 13:30:50 GMT
Pragma: no-cache
Server: envoy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Server-Response-Time: 35
Vary: Accept-Encoding
X-Dropbox-Response-Origin: far_remote
X-Dropbox-Request-Id: 744233e362ac4b20a00e7a862ae90a16
Content-Length: 395
{"token_type": "bearer", "access_token": "token", "expires_in": 14400, "scope": "account_info.read contacts.write file_requests.read file_requests.write files.content.read files.content.write files.metadata.read files.metadata.write sharing.read sharing.write"}
I'm using the .net api to exchange my refresh token for an access token. But don't see how I'd get the new refresh token back even if it was on the wire. Which it does not appear to be. The refresh tokens themselves don't seem to be expiring when I use them to get access tokens. Will that change in the future?
_DropBoxClient = new DropboxClient(string.Empty, dbap.RefreshToken, sApiKey, sApiSecret, config);
var newScopes = new string[]
{
"account_info.write",
"account_info.read",
"files.metadata.write",
"files.metadata.read",
"files.content.write",
"files.content.read",
"sharing.write",
"sharing.read",
"file_requests.write",
"file_requests.read",
"contacts.write"
};
bool success = Task.Run<bool>(async () => await _DropBoxClient.RefreshAccessToken(newScopes)).Result;

The Dropbox API /oauth2/token endpoint does not return a new refresh token during the refresh process, nor are there plans to make it do so. The official documentation for the Dropbox /oauth2/token endpoint can be found here.
The Dropbox OAuth Guide is referring to when you call /oauth2/token for grant_type=authorization_code, i.e., when first exchanging the authorization code for a short-lived token and (optional) refresh token. (Apologies the "new" there is misleading. We'll fix that up.)
When you call /oauth2/token for grant_type=refresh_token, i.e., when using a refresh token to get a new short-lived access token, it will not return another refresh token.

How to Validate an Access Token for OAuth2 + PCKE flow

According to this document
https://developers.onelogin.com/openid-connect/guides/auth-flow-pkce
Token Endpoint for PCKE flow is None (not Basic or POST)
So, how can I use the validation token API https://developers.onelogin.com/openid-connect/api/validate-session because it supports Basic authentication or POST but not for None (PCKE) I can't find any information relate to this.
NOTE: I have tried to request with Basic authentication and without + client_id, client_secret as a parameter but not working.
response 401 Unauthorized
{
"error": "invalid_client",
"error_description": "client authentication failed"
}

I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow:
$ curl -i -d "token=...&token_type_hint=access_token&client_id=..." https://openid-connect.onelogin.com/oidc/token/introspection
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Content-Length: 304
Content-Type: application/json; charset=utf-8
Date: Thu, 25 Apr 2019 23:37:42 GMT
Pragma: no-cache
X-Powered-By: Express
Set-Cookie: ol_oidc_canary_040819=false; path=/; domain=.onelogin.com
{"active":true,"sub":"...","client_id":"...","exp":1558819177,"iat":1556227177,"sid":"...","iss":"https://openid-connect.onelogin.com/oidc","jti":"...","scope":"openid profile email"}
Both the access_token and refresh_token returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token only returned {"active":false} after it expired.
Make sure you are not setting the Authorization header, and only set your client_id in the payload.

Use client_id and code_verify in the POST body. That will authenticate the request on that endpoint.

WebDAV return 401 - How to authenticate?

I have a problem with WebDAV. I have to get a list of files. I have this request:
<?xml version="1.0"?>
<D:searchrequest xmlns:D = "DAV:">
<D:sql>
SELECT "DAV:displayname" FROM "address" WHERE "DAV:ishidden" = false AND "DAV:isfolder" = false
</D:sql>
</D:searchrequest>
Response:
401 - Unauthorized: Access is denied due to invalid credentials.
I have user and password (who has access), but I don't know, how I can put this data to XML request.

WebDAV uses an HTTP authentication.
So you put your credentials to an HTTP header, not to the WebDAV XML in the HTTP body.
The basic HTTP authentication works like:
You get a WWW-Authenticate header from the server
WWW-Authenticate: Basic realm="server"
You include the Authorization header to the next request. The value of the header is:
Authorization: Basic username:password
where the username:password is in Base-64 encoding.
Authorization: Basic dXNlcjpwYXNzd29yZA==
For details, see
Basic access authentication on Wikipedia
RFC 7235: Hypertext Transfer Protocol (HTTP/1.1): Authentication

Datastore API always returning "dsid: Missing Value" error

I'm trying to follow the datastore API tutorial and this simple request (sent via Fiddler):
POST https://api.dropbox.com/1/datastores/get_or_create_datastore HTTP/1.1
User-Agent: Fiddler
Host: api.dropbox.com
Content-Length: 12
Authorization: Bearer [snipped]
dsid=default
always results in this error response:
HTTP/1.1 400 Bad Request
{"error": {"dsid": "Missing value"}}
The access token was created from the developer app console, and my test app has full dropbox permissions. Running the list_datastores API call succeeds and reports that I do have one datastore with a dsid of default.

I think you'll need a header of Content-Type: application/x-www-form-url-encoded, since you're sending form-encoded parameters.

Google API access token returning 400 - "invalid_request"

I'm making the following request to google oauth2 to get the access token and am getting the 400 http response with "invalid_request":
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Connection: keep-alive
Accept: */*
User-Agent: NING/1.0
Content-Length: 260
Content-Type: application/x-www-form-urlencoded
With the following parameters in the request body:
Map(redirect_uri -> http%3A%2F%2Flocalhost%3A8080%2Foauth%2Fgsheet, client_id -> _.apps.googleusercontent.com, code -> 4/9hzannwi_UlYWFlFEivgYXKzdGs6._, client_secret -> _, grant_type -> authorization_code)
This is really bugging me, any help/advice is greatly appreciated.

I was encoding the redirect_uri prior to making the request which was causing an issue. Not doing this solved the problem. This seems odd however as I encode the redirect_uri when sending the user to the oauth2 request page...