oauth-2.0oauthdropboxdropbox-api

Non-scoped apps cannot specify token scopes when using dropbox api/oauth


Anyone know why all of a sudden a dropbox registered app that's been working fine for years would suddenly show

{"error": "invalid_scope", "error_description": "Non-scoped apps cannot specify token scopes"}

When attempting to use an oauth refresh token like so.

POST https://api.dropbox.com/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: api.dropbox.com
Content-Length: 363
Expect: 100-continue

refresh_token=<VALIDTOKEN>&grant_type=refresh_token&client_id=<VALIDCLIENTID>&client_secret=<VALIDSECRET>&scope=account_info.write+account_info.read+files.metadata.write+files.metadata.read+files.content.write+files.content.read+sharing.write+sharing.read+file_requests.write+file_requests.read+contacts.write

I'm guessing I need to do something to the registration of the app. That some new requirement is needed, but I'm not sure what.


Solution

  • Received reply from Dropbox forum as below. Certainly sounds like my issue. Investigating


    From your description, it sounds like you have a legacy non-scoped app from before we switched to registering new apps as scoped apps.

    We recently fixed a bug where the API would allow non-scoped apps to specify scopes using the 'scope' parameter when calling /oauth2/token with 'grant_type=refresh_token'. Scopes don't apply to non-scoped apps so this is supposed to be rejected with the error you're seeing.

     

    To correct this, you should either:

    not provide the 'scope' parameter when calling /oauth2/token for the non-scoped app, or

    migrate your non-scoped app to use scopes, which you can do using the "Permissions" tab of the app's page on the App Console.

    Option b would be preferred. You can find more information on the migration here.

    https://dropbox.tech/developers/migrating-app-permissions-and-access-tokens