Dropbox: Nonce mismatch after sign in using automatic code exchange

[timvonwerne]

Describe the bug
After confirming the scopes in the sign in flow of Dropbox, I get the "Authorization error: Nonce mismatch" error when letting AppAuth perform the token exchange automatically (see next section). When tapping on "Manual" instead of "Auto", logging in and then tapping on "Code Exchange" everything seems to work fine.

To Reproduce
Steps to reproduce the behavior:
After not getting it to work with my own application, I tried the Example-iOS_Swift-Carthage. I will describe the steps to reproduce based on this example.

1. Tap on "Auto"
2. Allow the sign in to dropbox
3. Login to Dropbox and Confirm the access scopes of the application

Expected behavior
The sign in should be completed successfully.

Screenshots (I will provide logs instead)

05:29:26: Fetching configuration for issuer: https://dropbox.com
05:29:26: Got configuration: OIDServiceConfiguration authorizationEndpoint: https://www.dropbox.com/oauth2/authorize, tokenEndpoint: https://api.dropboxapi.com/oauth2/token, registrationEndpoint: (null), endSessionEndpoint: (null), discoveryDocument: [<OIDServiceDiscovery: 0x3013084e0>]
05:29:26: Initiating authorization request with scope: openid profile email
05:29:42: Authorization error: Nonce mismatch

Environment

• Device: iPhone 13 Pro, iPhone 15 Pro (Simulator)
• OS: iOS 17.4, iOS 17.2 (Simulator)

Additional Context
As explained above, I took the original example. I tried retrieving the token with and without specifying the client secret. What's really weird is that I can see a response from https://api.dropboxapi.com/oauth2/token containing an access token and an id token when inspecting the network traffic using Proxyman.