Improved Dropbox Support with Short-Lived Tokens and PKCE


Retrospect Backup 18.2 for Windows and Mac includes significant updates for Dropbox support.

Dropbox Short-Lived Tokens

Starting September 30th, 2021, the Dropbox OAuth flow will no longer return long-lived access tokens. It will instead return short-lived access tokens, and optionally return refresh tokens. Please be sure to review, test, and move to the new permission model before then.

Retrospect Backup 18.2 and higher supports Dropbox’s new OAuth workflow with short-lived tokens. There is no user-facing change to be aware of. Retrospect Backup automatically switches from the existing long-lived token to the new short-lived token.

Previous Releases: Retrospect 18.1.1 and Earlier

Existing Dropbox backup sets will continue to function. You’ll be able to back up to them and restore from them. However, you will not be able to create a new Dropbox backup set or rebuild an existing Dropbox backup set. You will see one of the following errors:

  • Backup and restore will log "error -1017 (insufficient permissions) and displays media request"

  • Recycle on Windows: "Can’t open Backup Set for writing, error -1102 (drive missing/unavailable)"

  • Recycle on Mac: "RefBackupset::Recycle error"

The previously-issued ("long-lived") access token that Retrospect stores persistently in the configuration file for existing backup sets will continue to be accepted by Dropbox as valid authentication and should not expire.

Dropbox PKCE

Retrospect now has PKCE support for Dropbox authentication. You can read more about PKCE in this Dropbox Engineering blog post, but the high-level security rationale is in the below quote from it:

PKCE provides dynamic client secrets, meaning your app’s client secrets can stay secret (even without a back end for your app). PKCE is better and more secure than the implicit flow (AKA the “token flow”). If you’re using the implicit flow, then you should switch to PKCE. If you use an implicit flow to authorize your Dropbox app, then PKCE is a better, more secure replacement, and you should no longer use implicit flow.

Last Update: September 29, 2021