I'm using the .net api for v2 using the code flow scenario. I was under the impression that this is what you use to get a refresh token you can save and re-use to get new access tokens after the user authorizes your app once.
after a doing a call like below, I navigate the uri the call provides.
var redirect = DropboxOAuth2Helper.GetAuthorizeUri(OauthResponseType.Code, AppKey, RedirectUri, user.ConnectState);
I parse the result for the code parameter which I then feed to ProcessCodeFlowAsync(). That only works to get the access token once. If I save and try to use it again, I get "code has already been used : invalid grant" errors.
I thought what I was getting was a refresh token but repeatedly feeding it ProcessCodeFlowAsync is not working. How do I get a refresh token that I can use repeatedly to get access tokens without having to have the user authorize every time. I am cacheing and re-using the auth token not the access token by the way.
To update your access token, call the /oauth2/token endpoint - specifying your refresh_token as a parameter and using the grant_type of refresh_token. The endpoint will return a new short-lived access token and a timestamp indicating its expiration time. Working with refresh tokens is easier with an SDK.
This protection mechanism works regardless of whether the legitimate client or the malicious client is able to exchange refresh token 1 for a new token pair before the other. As soon as reuse is detected, all subsequent requests will be denied until the user re-authenticates.
That token will last for 4 hours, before expiring. It's enough to test your app, but not for long-term use. We'll cover how to create a long-lived access token (with a refresh token) shortly.
To get a refresh token, you must include the offline_access scope when you initiate an authentication request through the /authorize endpoint. Be sure to initiate Offline Access in your API. For more information, read API Settings.
The Dropbox API doesn't use refresh tokens. Instead, you should just store and re-use the access token you get at the end of the app authorization flow.
The user or app can revoke an access token at any time though, so if/when API calls start failing due to a revoked access token, you can prompt the user to re-link the app if they want to continue using the integration, so the app can get a new token.
(The "code" you pass to ProcessCodeFlowAsync
is an "authorization code", which is not re-usable.)
The accepted answer was probably correct at the time but Dropbox API now does support refresh tokens.
Check the Refresh token
section here:
https://www.dropbox.com/lp/developers/reference/oauth-guide
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With