1

I’m trying to get Dropbox token from call-back parameters but the parameters are always empty.

Here is my code:

sURL := 
https://www.dropbox.com/oauth2/authorize' +
'?response_type=token' +
'&client_id=' + MyAppID +
'&redirect_uri=http://127.0.0.1:8888/';

ShellExecute(0, 'OPEN', PChar(sURL), '', '', SW_SHOWNORMAL);

Next I have IdHTTPServer set to listen http://127.0.0.1:8888/ address.

On executing the browser with Dropbox log-in popup. When I made log-in the redirection is made and the “IdHTTPServerCommandGet” events is called. So far so good.

In the browser I can see the next URL: http://127.0.0.1:8888/#access_token=123&token_type=bearer&uid=1234&account_id=dbid%1234

But in “IdHTTPServerCommandGet” events the parameters are always empty:

ARequestInfo.UnparsedParams; // Empty

ARequestInfo. QueryParams; // Empty

if ARequestInfo.Params.Count > 0 then // Empty
  sToken := ARequestInfo.Params[0];

And here is my question. How can I get the whole URL with parameters from IdHTTPServer?

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
Parodius
  • 61
  • 5

1 Answers1

1

Look very closely at the redirect url you are seeing in your browser. All of the parameters you want to access are after a # character, not a ? character. That puts them in the "fragment" portion of the url rather than the "query" portion. A web browser does not include a url's "fragment" in an HTTP request to a web server. That is why the TIdHTTPRequestInfo properties are empty - the parameters are literally not being sent to your TIdHTTPServer. The redirected url needs to put the parameters in the url's "query" instead. That is Dropbox's responsibility to handle correctly on its end.

That being said, you don't actually need the TIdHTTPServer at all, if you use an embedded web browser directly in your app, such as Delphi's TWebBrowser. You can hook into the embedded browser to catch the redirect directly, and all of the data that is in the redirected url. This also allows you to use a custom url scheme for the redirect url, you don't have to use "http(s):" (see Redirect URLs for Native Apps).

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • 1
    To handle the redirect via a server, one should use the "code" flow, instead of the "token" flow. When using the code flow, the result parameters are sent as query parameters, not in the fragment. More information can be found here: https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize – Greg Aug 05 '19 at 17:19
  • @Greg Thanks. I knew the OAuth spec handled apps and browsers differently, I just couldn't remember what it was exactly. – Remy Lebeau Aug 06 '19 at 18:28