Skip to content

Authentication and Authorization

Kunal Varma edited this page Mar 9, 2017 · 7 revisions

Authentication & Authorization

Here's how the authentication & authorization flow works:

  1. Using the DropboxAuthHelper to generate a login/authorization URL with the getAuthUrl() method.

  2. The URL with take the user to an app authorization screen for access approval. Once the user has approved/granted access to your app:

    A. If a redirect_uri was passed as a parameter to the getAuthUrl() method, you will be redirect back to the pre-specified URL (redirect_uri) with the authorization code.

    B. If a redirect_uri wasn't provided, the authorization code will be presented directly to the user.

  3. We can obtain the user access token through the getAccessToken() method, by passing the authorization code obtained in the previous step (and a CSRF state token, if a redirect_uri was specified).


File: header.php


require_once 'vendor/autoload.php';

use Kunnu\Dropbox\Dropbox;
use Kunnu\Dropbox\DropboxApp;

//Configure Dropbox Application
$app = new DropboxApp("client_id", "client_secret");

//Configure Dropbox service
$dropbox = new Dropbox($app);

$authHelper = $dropbox->getAuthHelper();

//Callback URL
$callbackUrl = "https://{my-website}/login-callback.php";

File: login.php

require_once 'header.php';

//Fetch the Authorization/Login URL
$authUrl = $authHelper->getAuthUrl($callbackUrl);

echo "<a href='" . $authUrl . "'>Log in with Dropbox</a>";

The DropboxAuthHelper makes use PHP sessions to store a CSRF token, which will be validated using the state parameter returned as a query parameter with the Callback URL. Before calling the getAuthUrl() method, make sure sessions are enabled.

Let's fetch the AccessToken using the code and state obtained along with the callback URL as query parameters.

File: login-callback.php

require_once 'header.php'

if (isset($_GET['code']) && isset($_GET['state'])) {    
    //Bad practice! No input sanitization!
    $code = $_GET['code'];
    $state = $_GET['state'];

    //Fetch the AccessToken
    $accessToken = $authHelper->getAccessToken($code, $state, $callbackUrl);

    echo $accessToken->getToken();

If a redirect_uri wasn't provdided when calling getAuthUrl() (Authentication Flow step 2B ):

require_once 'header.php'

$code = 'code-presented-directly-to-the-user';

//Fetch the AccessToken
$accessToken = $authHelper->getAccessToken($code);

echo $accessToken->getToken();

To revoke an access token, simply call the revokeAccessToken() method.

Note: The access token must already be set before calling the revokeAccessToken method.


<< Detailed Usage Guide

You can’t perform that action at this time.