How to authorize with long-lived tokens?
yoasha opened this issue · 4 comments
Hi All,
This question comes in the light of the new Dropbox API security announcements. Specifically token access: https://dropbox.tech/developers/migrating-app-permissions-and-access-tokens#updating-access-token-type
My final goal is to keep my app having long-term access using Dropbox SDK, even after long-lived tokens are deprecated.
I am following the "Begin the authorization flow" guide at https://github.com/dropbox/dropbox-sdk-obj-c#begin-the-authorization-flow.
Here is the relevant code:
#import <ObjectiveDropboxOfficial/ObjectiveDropboxOfficial.h>
- (void)myButtonInControllerPressed {
// Use only one of these two flows at once:
// Legacy authorization flow that grants a long-lived token.
[DBClientsManager authorizeFromController:[UIApplication sharedApplication]
controller:[[self class] topMostController]
openURL:^(NSURL *url) {
[[UIApplication sharedApplication] openURL:url];
}];
// New: OAuth 2 code flow with PKCE that grants a short-lived token with scopes.
DBScopeRequest *scopeRequest = [[DBScopeRequest alloc] initWithScopeType:DBScopeTypeUser
scopes:@[@"account_info.read"]
includeGrantedScopes:NO];
[DBClientsManager authorizeFromControllerV2:[UIApplication sharedApplication]
controller:[[self class] topMostController]
loadingStatusDelegate:nil
openURL:^(NSURL *url) { [[UIApplication sharedApplication] openURL:url]; }
scopeRequest:scopeRequest];
}
My question:
- Should the legacy authorization flow (which is appearing in the code above) keep working even after long-lived tokens are deprecated?
- Or, should a new SDK method be introduced soon? (Which presumably use refresh tokens to keep the current behavior)
Should the legacy authorization flow (which is appearing in the code above) keep working even after long-lived tokens are deprecated?
Yes, the legacy flow should continue working once long-lived access tokens are no longer being returned, but that means that it will only receive short-lived access tokens. When that occurs, users still on the legacy flow will only be able to use the connection for up to four hours before the access token expires and they need to re-connect it.
Or, should a new SDK method be introduced soon? (Which presumably use refresh tokens to keep the current behavior)
The authorizeFromControllerV2 method is the new method that you should use now. It will automatically take care of short-lived access tokens and refresh tokens for you, including automatically performing the refresh for you so that the app will maintain long-term access (i.e., longer than four hours).
greg, thank you for the quick reply!
I couldn't find any reference specifying that authorizeFromControllerV2 is using refresh tokens. I can see it uses PKCE, but for my understanding PKCE improves the security and is not related to OAUTH token lifetime. Sorry if I'm missing here something...
So, just to be on the safe side, here is a follow up question:
If I change my code to use authorizeFromControllerV2 instead of authorizeFromController, then the behavior of my app (specifically, where the user stays signed in with Dropbox all the time) won't change even if short-lived access tokens are returned?
In other words, say I change the code to use authorizeFromControllerV2 and then go to Dropbox App Console and change "Access token expiration" from "No Expiration" to "Short Lived". Will this affect my app which uses Dropbox SDK in the background without user interaction? Will my app stay signed-in with Dropbox constantly just as before?
Yes, authorizeFromControllerV2 will take care of all of this for you. It uses the PKCE flow to request "offline" access in order to get a short-lived access token and refresh token, and then the client will automatically perform the refresh for you as needed, so the user can stay signed in as before, without manual user interaction. (This authorizeFromControllerV2 flow will work even if you change "Access token expiration" from "No Expiration" to "Short Lived" now.)
Thank you so much for your clarification and kind support. The transition would be much easier than I thought.