Cannot Authenticate using App Key and Secret

[phuze]

I cannot authenticate using my app key and secret, as described in the readme.

or alternatively you can authenticate as an App using your App Key & Secret.
$client = new Spatie\Dropbox\Client([$appKey, $appSecret]);

I do not get any meaningful exception thrown either. The response coming back:

{
    "response": {},
    "dropboxCode": null
}

However, if I pass in a token generated from the Dropbox App Console, then everything works as expected.

Any idea what might be happening here? My code is pretty straightforward. I'll note that I have confirmed my environment variables are returning the correct app key and secret strings.

<?php

namespace Something\Api\Models;

use Monolog\Logger;
use Spatie\Dropbox\Client;
use Something\Api\Exceptions\ApiException;

/**
 * Dropbox model
 * https://www.dropbox.com/developers/documentation/http/documentation
 */
class DropboxModel
{
    public function __construct(Logger $logger)
    {
        $this->logger = $logger;
        $this->key = DROPBOX_KEY;
        $this->secret = DROPBOX_SECRET;
        $this->token = DROPBOX_TOKEN;
        $this->client = new Client([$this->key, $this->secret]);
        //$this->client = new Client($this->token);
    }

    public function listAssets()
    {
        try {
            $assets = $this->client->listFolder('', true);
            return $assets;
        } catch (Exception $e) {
            $this->logger->error("[{$e->getCode()}] ERROR: {$e->getMessage()}");
            throw new ApiException("[{$e->getCode()}] Unable to list assets: {$e->getMessage()}");
        }
    }
}

I'll add that after searching through the Dropbox documentation, the only endpoints that appear to accept App Authentication, are:

/app - allows you to test connection and credentials
/token/from_oauth1 - generates oAuth access token
/get_thumbnail - fetch a thumbnail for an image

Everything else requires User Authentication (token).

I see here that there's a method, getHeadersForCredentials that's using Basic auth where the app key and secret are base64 encoded, as described in the Dropbox docs. However, this authentication method is described as "App Authentication", and referring above, virtually no endpoints support app-based authentication.

[phuze]

I think the documentation should be updated to more accurately describe that this package does not provide authentication. It's misleading.

For anyone working on a server-side implementation, what you'll want to do, is obtain a Refresh Token and store that securely as an environment variable on your server. Dropbox Refresh Tokens are long-lived, and do not expire unless explicitly revoked. You should use this Refresh Token to fetch Access Tokens (which are short-lived) as needed. This is the appropriate flow per the Dropbox team as described in their oAuth Guide and by a Dropbox dev in this community thread.

To do that, first obtain an Access Code by visiting this URL in your browser. You'll be brought to a Dropbox site to authorize your app and be presented with the access code. Note: it's important you include token_access_type=offline otherwise a refresh token wont be included in your initial access request.

https://www.dropbox.com/oauth2/authorize?client_id=<APP_KEY>&response_type=code&token_access_type=offline

Once you've obtained your Access Code, make your first request to obtain an Access Token. I'd recommend just doing this from console as you'll only need to do it once for the purpose of grabbing a Refresh Token.

curl https://api.dropbox.com/oauth2/token -d code=<ACCESS_CODE> -d grant_type=authorization_code -u <APP_KEY>:<APP_SECRET>

You should get back a response that looks something like this -- your scopes will of course be based on what you've setup for your app.

{
  "uid": "xxxxxxxxxx",
  "access_token": "xxxxxxxxxx",
  "expires_in": 14400,
  "token_type": "bearer",
  "scope": "files.content.read files.content.write",
  "refresh_token": "xxxxxxxxxx",
  "account_id": "dbid:xxxxxxxxxx"
}

Here, you're looking for the refresh_token. This is the long-lived token that you'll want to securely store in your server environment. This token will allow you to make repeated requests to /oauth2/token for fresh (short-lived) access tokens needed to interact with Dropbox API endpoints.

You can then fetch your access token like this:

private function getToken()
{
    try {
        $client = new \GuzzleHttp\Client();
        $res = $client->request("POST", "https://{$this->key}:{$this->secret}@api.dropbox.com/oauth2/token", [
            'form_params' => [
                'grant_type' => 'refresh_token',
                'refresh_token' => $this->refreshToken,
            ]
        ]);
        if ($res->getStatusCode() == 200) {
            return json_decode($res->getBody(), TRUE);
        } else {
            return false;
        }
    }
    catch (Exception $e) {
        $this->logger->error("[{$e->getCode()}] {$e->getMessage()}");
        return false;
    }
}

Example response:

{
    "token_type": "bearer",
    "access_token": "xxxxxxxxxx",
    "expires_in": 14400
}

[marcus-at-localhost]

I was facing the same problem today. Thank you so much for putting this example together, I got it working.

[phuze]

I've put together a public GIST, Dropbox API V2: PHP Authentication Process, that describes how to approach the authentication process for a server-side PHP implementation, along with ideas for caching and refreshing the token.

[freekmurze]

@phuze thanks for putting that gist together. If you want, you could PR it to our readme, so others would find the content more easily. 👍