Level up your Box knowledge with brand new learning paths on Box University. Visit training.box.com to get started

Box OAuth2 asking "Grant access to box" page every time user log-in with box from same browser

New post

Comments

3 comments

  • Rui Barbosa

    Hi Boney,

    Not really, the behaviour should be similar and as you described.

    Not sure how your web application is working or even what stack you are using.

    Typically, once you authorize the application, you get an access token valid for 60 minutes and a refresh token valid for 60 days.

    When your access token is expired you use the refresh token to get a new pair, which is the typical OAuth2 behaviour.

    Here is a very simple sample app done in python that illustrates this mechanic.

    Let us know if this helps

      

    0
    Comment actions Permalink
  • Boney Jacob

    Hi Rui Barbosa,

    Thank you for your attention.

    Sorry, I don't mean token management related things.

    Note: My application name is ABC

    Application ABC authentication flow is like this (Assume Box application is already login from same browser)
    Load ABC login page -> click on Login with Box button -> Redirect to Grant access to box page -> click on Allow box access button -> Box generates ID token -> Application ABC creates custom JWT tokens (access token and refresh token) for internal use -> Click on logout button 

    Then we tried again to login ABC using the box then we should follow all the above steps but case is different while we using Google or Facebook.
    No need to allow grant access next time while we use Google or Facebook.

    Example: 
    Load ABC login page -> click on Login with Google button -> Redirect to Grant access page -> click on Allow google access button -> Google generates ID token -> Application ABC creates custom JWT tokens (access token and refresh token) for internal use -> Click on logout button 

    Then again we tried to login with google
    Load ABC login page -> click on Login with Google button -> Google generates ID token -> Application ABC creates custom JWT tokens (access token and refresh token) for internal use -> .....

    I hope situation is clear now.
    Do we need Grant access to box every time?

    0
    Comment actions Permalink
  • Rui Barbosa

    Hi Boney,

    I think I understand your question now.

    Box is not an identity provider like Google or Facebook, so login using Box authentication is not possible.

    Box OAuth exists to provide your app user a way to access their resources at box, but not to login at your application.

    Since you mentioned that you integrated Google authentication I was assuming the following user case.

    User opens login page in ABC app, and clicks login using google.

    The first time this happens ABC app authenticates the user via Google and also registers the user in it's database.

    From this point on the user can login to ABC app using Google as an identity provider.

    Now the user needs to access box content using his box account security context.

    User is logged in to ABC app -> goes to page to integrate with box -> grants ABC app access to his account -> ABC app stores access token and refresh token locally under the user registration -> ABC app uses access token to access box API and get user content.

    The second time the user logs in:

    User opens ABC login page, click login using google -> ABC authenticates against google and logins user locally -> ABC app uses access token stored previously to access user content in box (no more authorization)

    In this GitHub repo is an example of a sample app that illustrates this flow: https://github.com/box-community/ui-elements-oauth 

    The difference to your app is that it is not using google as an identity provider, so signup a user first and then login.

    Registering a new user

    Authorizing Box

    Granting access

    User logged in for the first time

    User second login:

    No need to re authorize the app

    Hope this helps

    0
    Comment actions Permalink

Please sign in to leave a comment.