I've integrated a number of cloud storage providers into my application using OAuth 2.0 (Google Drive, Box, Dropbox, etc.). I'm authorizing with token_access_type=offline and storing the refresh token in my database so that I can obtain new access tokens as necessary.
When I'm using the Dropbox v2 API, a call to the /token endpoint with grant_type=refresh_token does not return both an access_token and a refresh_token in the response. I only get an access_token for some reason.
I've verified that I am passing the refresh token that was returned to me when I initially called /token with grant_type=authorization_code. My request looks like this:
curl https://api.dropbox.com/oauth2/token \
-d grant_type=refresh_token \
-d refresh_token=<RefreshTokenReturnedFromAuthorizationCodeExchange> \
-u <MyAppKey>:<MyAppSecret>
Issuing this request multiple times (with the same refresh token) generates a new access token every time but no refresh token. The access tokens that are returned appear to work as expected. This is different from other service providers and also seems to contradict the Dropbox API docs which state that a refresh_token will be returned as long as I authorized with token_access_type=offline.
Does Dropbox issue refresh tokens that are designed to be reused like this? Will a Dropbox refresh token ever expire?
This is the expected behavior. When using grant_type=refresh_token, the Dropbox API /oauth2/token endpoint will not also return a new refresh token. Issuing a new refresh token is optional in the OAuth 2 spec:
The authorization server MAY issue a new refresh token
So, while the Dropbox API docs do say:
If the token_access_type was set to offline when calling /oauth2/authorize, then response will include a refresh token (refresh_token).
That is only actually referring to the initial grant_type=authorization_code request, and not subsequent grant_type=refresh_token requests. I'll ask the team to update the docs to clarify that.
Dropbox API refresh tokens don't themselves expire so you can re-use them (though they can be revoked by the user or app at any time).