Support Scope in OAuth flow and authentication substate.

Author: jiuyangzhao

examples/authorize-beta/src/main/java/com/dropbox/core/examples/authorize_beta/Main.java

@@ -104,6 +104,7 @@ public static void main(String[] args) throws IOException {
         System.out.println("- Access Token: " + authFinish.getAccessToken());
         System.out.println("- Expires At: " + authFinish.getExpiresAt());
         System.out.println("- Refresh Token: " + authFinish.getRefreshToken());
+        System.out.println("- Scope: " + authFinish.getScope());
 
         // Save auth information the new DbxCredential instance. It also contains app_key and
         // app_secret which is required to do refresh call.

src/main/java/com/dropbox/core/DbxAuthFinish.java

@@ -26,6 +26,7 @@ public final class DbxAuthFinish {
     private final String teamId;
     private final /*@Nullable*/String urlState;
     private long issueTime;
+    private final String scope;
 
     /**
      * @param accessToken OAuth access token
@@ -55,6 +56,30 @@ public DbxAuthFinish(String accessToken, String userId, String accountId, String
      */
     public DbxAuthFinish(String accessToken, Long expiresIn, String refreshToken, String userId,
                          String teamId, String accountId, /*@Nullable*/String urlState) {
+        this(accessToken, expiresIn, refreshToken, userId, teamId, accountId, urlState, null);
+    }
+
+    /**
+     *
+     * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
+     * early access partner of this feature. The function signature is subjected to change
+     * in next minor version release.
+     *
+     * @param accessToken OAuth access token.
+     * @param expiresIn Duration time of accessToken in second.
+     * @param refreshToken A token used to obtain new accessToken.
+     * @param userId Dropbox user ID of user that authorized this app.
+     * @param teamId Dropbox team ID of team that authorized this app.
+     * @param accountId Obfusticated user or team id. Keep it safe.
+     * @param urlState State data passed in to {@link DbxWebAuth#start} or {@code null} if no state
+     * was passed
+     * @param scope A list of scope returned by Dropbox server. Each scope correspond to a group of
+     * API endpoints. To call one API endpoint you have to obtains the scope first otherwise you
+     * will get HTTP 401.
+     */
+    public DbxAuthFinish(String accessToken, Long expiresIn, String refreshToken, String userId,
+                         String teamId, String accountId, /*@Nullable*/String urlState, String
+                             scope) {
         this.accessToken = accessToken;
         this.expiresIn = expiresIn;
         this.refreshToken = refreshToken;
@@ -63,6 +88,7 @@ public DbxAuthFinish(String accessToken, Long expiresIn, String refreshToken, St
         this.teamId = teamId;
         this.urlState = urlState;
         this.issueTime = System.currentTimeMillis();
+        this.scope = scope;
     }
 
     /**
@@ -138,6 +164,20 @@ public String getTeamId() {
         return teamId;
     }
 
+    /**
+     *
+     * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
+     * early access partner of this feature. The function signature is subjected to change
+     * in next minor version release.
+     *
+     * Return the <em>scopes</em> of current OAuth flow. Each scope correspond to a group of
+     * API endpoints. To call one API endpoint you have to obtains the scope first otherwise you
+     * will get HTTP 401.
+     */
+    public String getScope() {
+        return scope;
+    }
+
     /**
      * Returns the state data you passed in to {@link DbxWebAuth#start}.  If you didn't pass
      * anything in, or you used {@link DbxWebAuthNoRedirect}, this will be {@code null}.
@@ -168,7 +208,7 @@ DbxAuthFinish withUrlState(/*@Nullable*/ String urlState) {
         }
 
         DbxAuthFinish result =  new DbxAuthFinish(accessToken, expiresIn, refreshToken, userId,
-                teamId, accountId, urlState);
+                teamId, accountId, urlState, scope);
         result.setIssueTime(issueTime);
 
         return result;
@@ -189,6 +229,7 @@ public DbxAuthFinish read(JsonParser parser) throws IOException, JsonReadExcepti
             String accountId = null;
             String teamId = null;
             String state = null;
+            String scope = null;
 
             while (parser.getCurrentToken() == JsonToken.FIELD_NAME) {
                 String fieldName = parser.getCurrentName();
@@ -219,6 +260,9 @@ else if (fieldName.equals("team_id")) {
                     else if (fieldName.equals("state")) {
                         state = JsonReader.StringReader.readField(parser, fieldName, state);
                     }
+                    else if (fieldName.equals("scope")) {
+                        scope = JsonReader.StringReader.readField(parser, fieldName, scope);
+                    }
                     else {
                         // Unknown field.  Skip over it.
                         JsonReader.skipValue(parser);
@@ -243,7 +287,7 @@ else if (fieldName.equals("state")) {
             }
 
             return new DbxAuthFinish(accessToken, expiresIn, refreshToken, userId, teamId,
-                    accountId, state);
+                    accountId, state, scope);
         }
     };
 

src/main/java/com/dropbox/core/DbxRequestUtil.java

@@ -13,6 +13,7 @@
 import java.util.Random;
 
 import com.dropbox.core.stone.StoneSerializer;
+import com.dropbox.core.v2.auth.AuthError;
 import com.fasterxml.jackson.core.JsonParseException;
 import com.fasterxml.jackson.core.JsonProcessingException;
 
@@ -337,7 +338,14 @@ public static DbxException unexpectedStatus(HttpRequestor.Response response, Str
                 break;
             case 401:
                 message = DbxRequestUtil.messageFromResponse(response, requestId);
-                networkError = new InvalidAccessTokenException(requestId, message);
+                try {
+                    ApiErrorResponse<AuthError> authErrorReponse = new ApiErrorResponse
+                        .Serializer<AuthError>(AuthError.Serializer.INSTANCE).deserialize(message);
+                    AuthError authError = authErrorReponse.getError();
+                    networkError = new InvalidAccessTokenException(requestId, message, authError);
+                } catch (JsonParseException ex) {
+                    throw new BadResponseException(requestId, "Bad JSON: " + ex.getMessage(), ex);
+                }
                 break;
             case 403:
                 try {

src/main/java/com/dropbox/core/DbxWebAuth.java

@@ -287,6 +287,10 @@ String authorizeImpl(Request request, Map<String, String> pkceParams) {
             params.put("token_access_type", request.tokenAccessType.toString());
         }
 
+        if (request.scope != null) {
+            params.put("scope", request.scope);
+        }
+
         if (pkceParams != null) {
             for (String key: pkceParams.keySet()) {
                 params.put(key, pkceParams.get(key));
@@ -659,6 +663,7 @@ public static final class Request {
         private final Boolean disableSignup;
         private final DbxSessionStore sessionStore;
         private final TokenAccessType tokenAccessType;
+        private final String scope;
 
 
         private Request(String redirectUri,
@@ -667,14 +672,16 @@ private Request(String redirectUri,
                         Boolean forceReapprove,
                         Boolean disableSignup,
                         DbxSessionStore sessionStore,
-                        TokenAccessType tokenAccessType) {
+                        TokenAccessType tokenAccessType,
+                        String scope) {
             this.redirectUri = redirectUri;
             this.state = state;
             this.requireRole = requireRole;
             this.forceReapprove = forceReapprove;
             this.disableSignup = disableSignup;
             this.sessionStore = sessionStore;
             this.tokenAccessType = tokenAccessType;
+            this.scope = scope;
         }
 
         /**
@@ -690,7 +697,9 @@ public Builder copy() {
                     forceReapprove,
                     disableSignup,
                     sessionStore,
-                    tokenAccessType);
+                    tokenAccessType,
+                    scope
+                );
         }
 
         /**
@@ -713,9 +722,10 @@ public static final class Builder {
             private Boolean disableSignup;
             private DbxSessionStore sessionStore;
             private TokenAccessType tokenAccessType;
+            private String scope;
 
             private Builder() {
-                this(null, null, null, null, null, null, null);
+                this(null, null, null, null, null, null, null, null);
             }
 
             private Builder(String redirectUri,
@@ -724,14 +734,16 @@ private Builder(String redirectUri,
                             Boolean forceReapprove,
                             Boolean disableSignup,
                             DbxSessionStore sessionStore,
-                            TokenAccessType tokenAccessType) {
+                            TokenAccessType tokenAccessType,
+                            String scope) {
                 this.redirectUri = redirectUri;
                 this.state = state;
                 this.requireRole = requireRole;
                 this.forceReapprove = forceReapprove;
                 this.disableSignup = disableSignup;
                 this.sessionStore = sessionStore;
                 this.tokenAccessType = tokenAccessType;
+                this.scope = scope;
             }
 
             /**
@@ -864,6 +876,10 @@ public Builder withDisableSignup(Boolean disableSignup) {
             }
 
             /**
+             * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
+             * early access partner of this feature. The function signature is subjected to change
+             * in next minor version release.
+             *
              * Whether or not to include refresh token in {@link DbxAuthFinish}
              *
              * For {@link TokenAccessType#ONLINE}, auth result only contains short live token.
@@ -882,6 +898,21 @@ public Builder withTokenAccessType(TokenAccessType tokenAccessType) {
                 return this;
             }
 
+            /**
+             *
+             * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
+             * early access partner of this feature. The function signature is subjected to change
+             * in next minor version release.
+             *
+             * @param scope A list of scope returned by Dropbox server. Each scope correspond to a group of
+             * API endpoints. To call one API endpoint you have to obtains the scope first otherwise you
+             * will get HTTP 401.
+             */
+            public Builder withScope(String scope) {
+                this.scope = scope;
+                return this;
+            }
+
             /**
              * Returns a new OAuth {@link Request} that can be used in
              * {@link DbxWebAuth#DbxWebAuth(DbxRequestConfig,DbxAppInfo)} to authorize a user.
@@ -903,7 +934,8 @@ public Request build() {
                         forceReapprove,
                         disableSignup,
                         sessionStore,
-                        tokenAccessType);
+                        tokenAccessType,
+                        scope);
             }
         }
     }

src/main/java/com/dropbox/core/InvalidAccessTokenException.java

@@ -1,5 +1,7 @@
 package com.dropbox.core;
 
+import com.dropbox.core.v2.auth.AuthError;
+
 /**
  * Gets thrown when the access token you're using to make API calls is invalid.
  *
@@ -13,8 +15,14 @@
  */
 public class InvalidAccessTokenException extends DbxException {
     private static final long serialVersionUID = 0;
+    private AuthError authError;
 
-    public InvalidAccessTokenException(String requestId, String message) {
+    public InvalidAccessTokenException(String requestId, String message, AuthError authError) {
         super(requestId, message);
+        this.authError = authError;
+    }
+
+    public AuthError getAuthError() {
+        return this.authError;
     }
 }

src/main/java/com/dropbox/core/v2/DbxRawClientV2.java

@@ -356,21 +356,14 @@ private <T> T executeRetriableWithRefresh(int maxRetries, RetriableExecution<T>
                 throw ex;
             }
 
-            try {
-                AuthError authError = DbxRequestUtil.readJsonFromErrorMessage(AuthError.Serializer
-                    .INSTANCE, ex.getMessage(), ex.getRequestId());
+            AuthError authError = ex.getAuthError();
 
-                if (AuthError.EXPIRED_ACCESS_TOKEN.equals(authError) && canRefreshAccessToken()) {
-                    // retry with new access token.
-                    refreshAccessToken();
-                    return executeRetriable(maxRetries, execution);
-                } else {
-                    // Doesn't need refresh.
-                    throw ex;
-                }
-            } catch (JsonParseException newEx) {
-                // server returns unexpect string, or developers http requestor doesn't correctly
-                // handle server's string. Give up.
+            if (AuthError.EXPIRED_ACCESS_TOKEN.equals(authError) && canRefreshAccessToken()) {
+                // retry with new access token.
+                refreshAccessToken();
+                return executeRetriable(maxRetries, execution);
+            } else {
+                // Doesn't need refresh.
                 throw ex;
             }
         }

src/test/java/com/dropbox/core/DbxAuthFinishTest.java

@@ -27,7 +27,7 @@ public class DbxAuthFinishTest extends DbxOAuthTestBase {
     @Test
     public void testDbxAuthFinishLegacyToken() throws Exception{
         DbxAuthFinish expected = new DbxAuthFinish(
-                "test-access-token", null, null, "test-user-id", null, "test", null
+                "test-access-token", null, null, "test-user-id", null, "test", null, null
         );
 
         ByteArrayInputStream responseStream = new ByteArrayInputStream(
@@ -55,7 +55,7 @@ public void testDbxAuthFinishLegacyToken() throws Exception{
     public void testDbxAuthFinishOnline() throws Exception{
         long now = System.currentTimeMillis();
         DbxAuthFinish expected = new DbxAuthFinish(
-                "test-access-token", 3600L, null, "test-user-id", null, "test", null
+                "test-access-token", 3600L, null, "test-user-id", null, "test", null, null
         );
         expected.setIssueTime(now);
 
@@ -88,7 +88,8 @@ public void testDbxAuthFinishOnline() throws Exception{
     public void testDbxAuthFinishOffline() throws Exception{
         long now = System.currentTimeMillis();
         DbxAuthFinish expected = new DbxAuthFinish(
-                "test-access-token", 3600L, "test_refresh_token", "test-user-id", null, "test", null
+                "test-access-token", 3600L, "test_refresh_token", "test-user-id", null, "test",
+            null, null
         );
         expected.setIssueTime(now);
 
@@ -118,10 +119,48 @@ public void testDbxAuthFinishOffline() throws Exception{
         assertEquals(actual.getUrlState(), expected.getUrlState());
     }
 
+    @Test
+    public void testDbxAuthFinishScope() throws Exception{
+        long now = System.currentTimeMillis();
+        DbxAuthFinish expected = new DbxAuthFinish(
+            "test-access-token", 3600L, "test_refresh_token", "test-user-id", null, "test",
+            null, "account_info.read"
+        );
+        expected.setIssueTime(now);
+
+        ByteArrayInputStream responseStream = new ByteArrayInputStream(
+            (
+                "{" +
+                    "\"token_type\":\"Bearer\"" +
+                    ",\"access_token\":\"" + expected.getAccessToken() + "\"" +
+                    ",\"expires_in\":" + 3600 +
+                    ",\"refresh_token\":\"" + expected.getRefreshToken() + "\"" +
+                    ",\"uid\":\"" + expected.getUserId() + "\"" +
+                    ",\"account_id\":\"" + expected.getAccountId() + "\"" +
+                    ",\"scope\":\"" + expected.getScope() + "\"" +
+                    "}"
+            ).getBytes("UTF-8")
+        );
+
+
+
+        DbxAuthFinish actual = DbxAuthFinish.Reader.readFully(responseStream);
+        actual.setIssueTime(now);
+        assertEquals(actual.getAccessToken(), expected.getAccessToken());
+        assertEquals(actual.getAccountId(), expected.getAccountId());
+        assertEquals(actual.getRefreshToken(), expected.getRefreshToken());
+        assertEquals(actual.getExpiresAt(), expected.getExpiresAt());
+        assertEquals(actual.getTeamId(), expected.getTeamId());
+        assertEquals(actual.getUserId(), expected.getUserId());
+        assertEquals(actual.getUrlState(), expected.getUrlState());
+        assertEquals(actual.getScope(), expected.getScope());
+    }
+
     @Test
     public void testDbxAuthFinishWithUrlState() throws Exception {
         DbxAuthFinish expected = new DbxAuthFinish(
-                "test-access-token", 3600L, "test_refresh_token", "test-user-id", null, "test", null
+                "test-access-token", 3600L, "test_refresh_token", "test-user-id", null, "test",
+            null, null
         );
 
         DbxAuthFinish actual = expected.withUrlState("testState");
@@ -154,7 +193,7 @@ public void testFinishWithState() throws Exception {
         assertNotNull(sessionStore.get());
 
         DbxAuthFinish expected = new DbxAuthFinish(
-                "test-access-token", null, null, "test-user-id", null, "test", state
+                "test-access-token", null, null, "test-user-id", null, "test", state, null
         );
         ByteArrayOutputStream body = new ByteArrayOutputStream();
         ByteArrayInputStream responseStream = new ByteArrayInputStream(