Skip to content

Authentication and Authorization

Jump to bottom
Kunal Varma edited this page Jun 23, 2022 · 8 revisions

Authentication & Authorization

Here's how the authentication & authorization flow works:

  1. Using the DropboxAuthHelper to generate a login/authorization URL with the getAuthUrl() method.

  2. The URL with take the user to an app authorization screen for access approval. Once the user has approved/granted access to your app:

    A. If a redirect_uri was passed as a parameter to the getAuthUrl() method, you will be redirect back to the pre-specified URL (redirect_uri) with the authorization code.

    B. If a redirect_uri wasn't provided, the authorization code will be presented directly to the user.

  3. We can obtain the user access token through the getAccessToken() method, by passing the authorization code obtained in the previous step (and a CSRF state token, if a redirect_uri was specified).

Example

File: header.php

<?php
session_start();

require_once 'vendor/autoload.php';

use Kunnu\Dropbox\Dropbox;
use Kunnu\Dropbox\DropboxApp;

//Configure Dropbox Application
$app = new DropboxApp("client_id", "client_secret");

//Configure Dropbox service
$dropbox = new Dropbox($app);

//DropboxAuthHelper
$authHelper = $dropbox->getAuthHelper();

//Callback URL
$callbackUrl = "https://{my-website}/login-callback.php";
?>

File: login.php

<?php
require_once 'header.php';

//Fetch the Authorization/Login URL
$authUrl = $authHelper->getAuthUrl($callbackUrl);

echo "<a href='" . $authUrl . "'>Log in with Dropbox</a>";
?>

The DropboxAuthHelper makes use PHP sessions to store a CSRF token, which will be validated using the state parameter returned as a query parameter with the Callback URL. Before calling the getAuthUrl() method, make sure sessions are enabled.

Let's fetch the AccessToken using the code and state obtained along with the callback URL as query parameters.

File: login-callback.php

<?php
require_once 'header.php'

if (isset($_GET['code']) && isset($_GET['state'])) {    
    //Bad practice! No input sanitization!
    $code = $_GET['code'];
    $state = $_GET['state'];

    //Fetch the AccessToken
    $accessToken = $authHelper->getAccessToken($code, $state, $callbackUrl);

    echo $accessToken->getToken();
}
?>

If a redirect_uri wasn't provdided when calling getAuthUrl() (Authentication Flow step 2B ):

<?php
require_once 'header.php'

$code = 'code-presented-directly-to-the-user';

//Fetch the AccessToken
$accessToken = $authHelper->getAccessToken($code);

echo $accessToken->getToken();
?>

To revoke an access token, simply call the revokeAccessToken() method.

Note: The access token must already be set before calling the revokeAccessToken method.

$authHelper->revokeAccessToken();

Short-lived Access Token and Refresh Token

Dropbox no longer supports creation of long-lived tokens since September 30th, 2021. Long-lived access tokens created before this date will still work. Dropbox now uses short-lived access tokens which can be refreshed using 'refresh tokens'.

Thanks to this PR, the SDK now supports short-lived access token and refresh token flow.

To use 'refresh tokens' in your app, set token_access_type to offline when generating an authentication URL:

// Callback URL
$callbackUrl = "https://{my-website}/login-callback.php";

// Additional user provided parameters to pass in the request
$params = [];

// Url State - Additional User provided state data
$urlState = null ;

// Token Access Type
$tokenAccessType = "offline";

// Fetch the Authorization/Login URL
$authUrl = $authHelper->getAuthUrl($callbackUrl, $params, $urlState, $tokenAccessType);

If the current AccessToken expires, we can get a new AccessToken (refreshed access token) using code below:

$accessToken = $authHelper->getRefreshedAccessToken($accessToken);

<< Detailed Usage Guide

Table of Contents

Usage

Example

API Docs

View API Docs

Clone this wiki locally