dropbox-sdk-js: PKCE Flow in web environment rejects code_verifier

I am trying to implement the PKCE OAuth flow in a web environment. Therefore, I first call API to get a one time code:

return dropboxAuth .getAuthenticationUrl( this._redirectUrl, void 0, "code", void 0, void 0, void 0, true )

which leads to the following URL: https://www.dropbox.com/oauth2/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&code_challenge_method=S256&code_challenge=CODE_CHALLENGE

Before navigating to this link, I save the code_verifier which was generated by the Dropbox SDK. After navigating back from the URL, I get the one time code as a param: http://localhost:5000/?code=CODE

With this code, and the code_verifier I saved previously, I try to get an access token by calling (there is no method to set the code verifier, but since the app is left for navigating to the OAuth page, I somehow have to store it, therefore I set it “manually” after returning to my app, to make sure the SDK uses the same verifier as used previously to create the challenge): dropboxAuth.codeVerifier = verifier; const accessToken = await dropboxAuth.getAccessTokenFromCode(this._redirectUrl, code); which leads to the following URL:

POST | https://api.dropboxapi.com/oauth2/token?grant_type=authorization_code&code=CODE&client_id=CLIENT_ID&code_verifier=CODE_VERIFIER&redirect_uri=REDIRECT_URI

and the following result returned from Dropbox: {"error_description": "invalid code verifier", "error": "invalid_grant"}

I have checked multiple times by debugging, the code_verifier sent to the token endpoint matches the code_verifier generated by the Dropbox SDK before navigation to the OAuth page happens.

Am I missing something here? Any help is highly appreciated.

SDK-Version: 9.0.0 Browsers: Firefox 84.0.2 64bit Chrome: 87.0.4280.141 (Official Build) (64-bit)

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 19 (8 by maintainers)

Most upvoted comments

For reference, the new example for using PKCE in the browser can be found here.

+4
greg-db on Mar 25, 2021

It’s not working for me either, I just provided a standalone example that does not require to “extract” and store and after reload “insert” the codeChallenge and codeVerifier

+2
HerrZatacke on Mar 14, 2021

From what I understand dropbox is currently not offering a non-deprecated authentication for unhosted/serverless JS-Apps that do not force the user to re-authenticate every four hours.

Is that correct?

+2
HerrZatacke on Mar 14, 2021

Thanks for writing this up! I’m checking with the team on this.

+2
greg-db on Feb 1, 2021

This should be fixed as of v9.4.0. Please reopen this issue if it was not resolved.

+1
rogebrd on Mar 24, 2021

@greg-db i am using the same flow as @FloppyNotFound and it appears that in fact the version 9.x is not working anymore. Downgrading to 8.x with the same code fix the issue for now. I followed the upgrade guide and used the promises for the auth url but I do get the same error as described here.

+1
mbret on Mar 18, 2021

@Blodhgard I don’t have an update on this right now. I’ll check in on it again.

+1
greg-db on Feb 11, 2021

I have the same problem with the verifier. The backend returns the same error.

It is not clean to set those variables in this way. I suggested inserting a method since I do not want to broke the implementation if they change the variables names or other internal things.

+1
alex-fer on Feb 1, 2021
Read more comments on GitHub
← dropbox-sdk-js: filesListFolderLongpoll() causes CORS preflight error
dropbox-sdk-js: t.buffer is not a function →