Anyone know why all of a sudden a dropbox registered app that's been working fine for years would suddenly show
{"error": "invalid_scope", "error_description": "Non-scoped apps cannot specify token scopes"}
When attempting to use an oauth refresh token like so.
POST https://api.dropbox.com/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.dropbox.com
Content-Length: 363
Expect: 100-continue
refresh_token=<VALIDTOKEN>&grant_type=refresh_token&client_id=<VALIDCLIENTID>&client_secret=<VALIDSECRET>&scope=account_info.write+account_info.read+files.metadata.write+files.metadata.read+files.content.write+files.content.read+sharing.write+sharing.read+file_requests.write+file_requests.read+contacts.write
I'm guessing I need to do something to the registration of the app. That some new requirement is needed, but I'm not sure what.
Received reply from Dropbox forum as below. Certainly sounds like my issue. Investigating
From your description, it sounds like you have a legacy non-scoped app from before we switched to registering new apps as scoped apps.
We recently fixed a bug where the API would allow non-scoped apps to specify scopes using the 'scope' parameter when calling /oauth2/token with 'grant_type=refresh_token'. Scopes don't apply to non-scoped apps so this is supposed to be rejected with the error you're seeing.
To correct this, you should either:
not provide the 'scope' parameter when calling /oauth2/token for the non-scoped app, or
migrate your non-scoped app to use scopes, which you can do using the "Permissions" tab of the app's page on the App Console.
Option b would be preferred. You can find more information on the migration here.
https://dropbox.tech/developers/migrating-app-permissions-and-access-tokens