Using the official Dropbox PHP SDK, I'm starting the oauth process from a local site where the redirect URI is simple HTTP
Invalid redirect_uri: "http://mylocalsite.local/finish": When response_type=code, only localhost URIs can start with "http://"; all others must start with "https://".
Does that mean that I can't use Dropbox with an HTTP site or is there a different configuration I can use?
The response_type is hardcoded to code in the SDK
As a matter of security, Dropbox API OAuth 2 redirect URIs can only use http:// on localhost. (Otherwise, sensitive information would be sent in the clear.)
So, you'll need to use https:// on any non-localhost redirect URI. For working locally, you can use http://, but the address will need to be localhost.