rdrop2 icon indicating copy to clipboard operation
rdrop2 copied to clipboard

Published 20 hours ago verified publisher icon karthik

drop_auth() generating short lived tokens

Open BrookeGibbons opened this issue 3 years ago • 13 comments

I was using rdrop2 in a shiny app, and had the shiny app creating multiple .csv files in my dropbox account for a couple of months. Last week I accidentally pushed my dropbox token to github, so I deleted the rdrop2 app from my dropbox account and created a new token through R and rdrop2.

Now, whenever I generate a new token I get a short-lived token (prefix sl.) They expire in 4 hours.

I need the token to be long lived (not expire).

This article says long lived tokens were retired in Sep 2021 - but I created mine in October.

Is there still a way to create long lived tokens?

BrookeGibbons avatar Feb 07 '22 07:02 BrookeGibbons

I just got back from Dropbox. Here is the reply:

"Dropbox is in the process of switching to only issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.

Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation.

For reference, while the creation of new long-lived access tokens is now deprecated, we don't currently have a plan to disable existing long-lived access tokens. (If that changes, we will of course announce that ahead of time.) That being the case, you can continue using existing long-lived access token(s) without interruption, if you have any. Also, note though that after the change you won't be able to create new long-lived access tokens.

While the change began on September 30th, we're releasing it gradually, so you may not have seen your app(s) affected yet/until now. Once it applies to your app, it would apply regardless of the "Access token expiration" setting for your app, and that setting may no longer be available for your app."

I mark the answers to your questions in bold.

Emily-Chai avatar Feb 07 '22 18:02 Emily-Chai

I need the token to be long lived (not expire).

Did you try "implement refresh tokens" mentioned here? What I did so far is after calling drop_auth() in R, in the pop-up webpage, I added "&token_access_type=offline" to the end of the URL to generate "a long-lived refresh_token that can be used to request a new, short-lived access token." It seems working after 4 hours.

Emily-Chai avatar Feb 07 '22 19:02 Emily-Chai

@Emily-Chai I'm having the same problem here. I tried adding the "&token_access_type=offline" to the URL, but it didn't work. Did you manage to solve the problem @BrookeGibbons ?

AfonsoCampos avatar Feb 24 '22 12:02 AfonsoCampos

After calling drop_auth() in R, in the pop-up webpage, I added "&token_access_type=offline" to the end of the URL, then hit enter to refresh the page, then authorize as usual. In this way, there should be "a long-lived refresh_token that can be used to request a new, short-lived access token" generated to your app folder. Then I published the app as usual, my authorization problem was solved.

Emily-Chai avatar Feb 24 '22 14:02 Emily-Chai

I had the same problem, and the solution is to change one line in the rdrop2::drop_auth function: dropbox_token <- httr::oauth2.0_token(dropbox, dropbox_app, cache = cache, query_authorize_extra = list(token_access_type = "offline")). With this, the token includes both a short lived token and a refresh token. Then, this token can be refreshed with dropbox_token$refresh(), which returns a new short lived token. It would be nice to add this as an empty list parameter to drop_auth, as it's supposed to be by default in httr::oauth2.0_token. See this for the introduction of this argument in httr 1.4.0.

jcarbaut avatar Feb 24 '22 22:02 jcarbaut

@Emily-Chai's fix also worked for me too.

BrookeGibbons avatar Feb 25 '22 00:02 BrookeGibbons

@Emily-Chai @BrookeGibbons So, if I do token <- drop_auth() and then add "&token_access_type=offline" to the URL, I get "a long-lived refresh_token that can be used to request a new, short-lived access token". I can save that with saveRDS(token, TOKEN_PATH). However, I am unsure how I need to use it further. How do I request a new short-lived token? (do I do token <- readRDS(TOKEN_PATH) and then token$refresh(), or how does that work?) When does this need to happen? (at each application start?)

Intangibil avatar Mar 17 '22 14:03 Intangibil

@karthik any updates on this? In particular in relation to @jcarbaut 's fix? I am currently having the same issue with short lived tokens.

bsh2 avatar Mar 21 '22 21:03 bsh2

@karthik any updates on this? In particular in relation to @jcarbaut 's fix? I am currently having the same issue with short lived tokens.

In the meantime, you can use the fix on a copy of the drop_auth function (the code is straightforward), or alternately Emily-Chain's trick above (I have not tested this, but it should work too). Once you have a refresh token, you can store it and use it in your app to get a short-lived token with token$refresh(). It will work for 4 hours: you may create this token at the beginning of a shiny app session, for instance.

If you need longer runs, it will be more difficult: if I understand correctly, the httr package does not do it automatically (it's one of the purposes of httr2, which rdrop2 does not currently use), so you'll have to do it "by hand" in your app: basically, each time you use a token, check its validity. This could be done by wrapping each reference to the token with a function that checks this.

jcarbaut avatar Mar 22 '22 00:03 jcarbaut

@jcarbaut Thank you, very helpful. Have made the changes in my copy of the drop_auth function based on your PR. 4 hours should work for me, a user is on average only going to use each session for 30 minutes maximum. Hopefully in the future rdrop2 will move to httr2. Thanks again, Ben

bsh2 avatar Mar 22 '22 09:03 bsh2

I'm trying to make my Shiny app work in combination with dropbox, however I still didn't manage. It would really be helpfull for non-developers if the package was updated with this functionality. Alternatively, it would help if anyone could provide the complete example code for a working shiny app including the fix. Thank you so much, if anyone can do that!

TessaEPronk avatar Apr 16 '22 10:04 TessaEPronk

After one morning of fiddling I managed, here's for the not-so apt like me: 1. make sure you are in the folder of your shiny-app. 2. In the console, load the library rdrop2. 3. In the console type drop_auth() 4. in the website that opens, do what Emily-Chai suggested: After calling drop_auth() in R, in the pop-up webpage, I added "&token_access_type=offline" to the end of the URL, then hit enter to refresh the page. 5. In your console, save the token saveRDS(token, "droptoken.rds") 6. Then go to the code in your shiny-app and below the calling of the other libraries put: outputDir <- "put here yours"; token<-readRDS("droptoken.rds"); token$refresh() 7. run your shiny app. I put this in both my ui and server scripts, don't know if that is neccesary. Now after one day, it still works, thanks everyone above again for the ingredients!

TessaEPronk avatar Apr 17 '22 07:04 TessaEPronk

  1. In your console, save the token saveRDS(token, "droptoken.rds")

@TessaEPronk @Emily-Chai Can you clarify? At what step in 1-5 is a token variable created in the workspace?

adamcohen3 avatar Dec 09 '22 00:12 adamcohen3