Android SDK: Start code flow & get an authorization code for a server side application that requires background access
guillermomuntaner opened this issue · 3 comments
We have a use case that requires "offline" server background access, so we are migrating away from the implicit flow due to the change to short lived access tokens.
As we have a server, which can keep the secret and participate on the OAuth flow, we think the best choice is using a code flow.
Our android client would then need to start the authorization code flow, with the "offline" access type token, get the authorization code & forward it to our server, which will then exchange it by the access token and refresh tokens.
The utilities I find are all for full authorization flows on the client, either implicit or PKCE.
Does the SDK provide utilities for this?
Thanks in advance!
While the Dropbox Java SDK does support both web apps and Android apps, it wasn't designed with the intent to combine both environments like that.
For instance, the Android example uses the startOAuth2PKCE
functionality built for the Android platform, but I believe that doesn't offer a way to extract just the authorization code to pass it elsewhere.
Does your server has a web UI front-end though? The SDK also provides DbxWebAuth
functionality, which is meant for web apps, e.g., as shown in this example. If that's an option for you, it may be best to just use that. You could potentially have your Android open the address in the system browser to streamline that a bit if you want.
(By the way, in your third paragraph you note that you would start 'with the "online" access type token' and then get "refresh tokens", but note that you would need to start with the "offline" type to get refresh tokens, regardless of where each step is handled.)
@greg-db I also considered using PKCE, as it seems good enough. However, at the moment none of the public Auth.startOAuth2PKCE
methods allow to explicitly set the access type token and currently it seems an implementation detail that "offline" is used. Is this somehow granted? (I am not aware of a connection between PKCE and offline access)
The web server approach could work but it is a pity to lose the chance to complete the flow in the Dropbox app, plus it comes with its own complexity (requests to our server from a browser, implementing a redirect scheme to go back to the app at some point, etc) which implies rebuilding pieces of this SDK. Might end up going for it though.
Thanks for the clarification & direction hints!
PS I indeed intended to mean the "offline" access type token, fixed for future reference.
That's correct, Auth.startOAuth2PKCE
currently only supports the "offline" type. There's technically no requirement that PKCE and offline access be used together; this method just wasn't written to support configuring that. (For the non-Android-specific flow though, there is also DbxPKCEWebAuth
, which does support configuring the token type.)
Anyway, yes, unfortunately using DbxWebAuth
(or DbxPKCEWebAuth
) means you lose the ability to use the official Dropbox app to complete the authorization. Apologies I don't have a better solution to offer for that!