Welcome to the new Box Support website. Check out all the details here on what’s changed.

Allowing redirect_uri to be different than the one specified in Box dev app options

New post

Comments

8 comments

  • moeckelb

    Ran into the same problem. Did you found any solution?

    0
    Comment actions Permalink
  • WetWillie

    Here is the official response I got, hope it can help you.

     

    Due to vulnerabilities around having a wildcard redirect uri that were discovered around a year ago, we no longer support leaving the field empty.

    We do support having a base url which can have a dynamic path, but it would require that at least the base matches. What I mean by this is that if you set the redirect uri in the application to

    https://www.example.com/

    When generating the url for the authentication process, you can have `&redirect_uri=https://www.example.com/customer1_redirect`

    We will check that the base url matches (the https://www.example.com/) and then allow you to have the dynamic path afterwards, and we'll send the redirect to the uri specified during the auth process instead of the base url set in the app.

    If the base url does not match, we will reject the authentication request with a redirect_uri_mismatch error. Currently, we do not support having multiple base url redirects in a single application, so you would either need to build a custom flow that redirects to the correct customer's redirect from your service for them to attain the token, or you would need to create multiple applications for each customer to have their own environment set up.

    Sorry for any inconvenience this may cause, but unfortunately due to the strict security requirements we are under, we are unable to change this behavior.

    0
    Comment actions Permalink
  • arivoir

    Please add an option to allow multiple redirect_uri's

    0
    Comment actions Permalink
  • DaveCloud

    I have run into the same issue, having the redirect_uri in the dev console for development is great and makes sense. But when you get to production it causes complications. I can fully understand the security issues you are referring to, having the ability to add &redirect_uri= to the url could be subverted.

     

    The issue I have is two fold

    1. we use sub-domains, eg.

     

    beta.example.com

    prerelease.example.com

    staging.example.com

    www.example.com

     

    The examples given in the official reply only show sub directories, do sub domains work too.

    If I define the base uri as example.com, would the uri's above throw an error if added as a redirect_uri?

     

    2. I am using the v2 SDK and there is no mention of the redirect_uri, probably because of the security issues

     

    Is it possible to add &redirect_uri=beta.example.com to the url used in the SDK to modify the redirect uri?

     

    0
    Comment actions Permalink
  • DaveCloud

    To check this myself I changed the redirect_uri in the dev console to the base domain, and then attempted to set the redirect_uri to a subdomain. 

     

    Unless I did anything wrong this failed, so I suspect the test for domain does not deconstruct the uri to extract the base domain, just doing a straight text check on the first n chars will fail with subdomains so I suspect that is what the API is doing.

     

    Is it on the development plan to allow subdomains, or can you give me any workaround to use several subdomains.

     

    Thanks

    Dave

     

    0
    Comment actions Permalink
  • vladimirt

    hi any progress on this? is it possible add multiple `redirect_uris` or are the subdomains allowed in current version? It so, then how? 

    0
    Comment actions Permalink
  • andrew-asteria

    Just sharing I had this issue, until I chanced upon the Box File Picker API here: https://box-content.readme.io/docs/the-box-file-picker

     

    It doesn't require the whole Oauth process using the redirect uri and I manage to get this box feature in my app for external users to upload content to my app.

     

    The problem now is that this API have it's limitation in UI editing but I guess it's an old API..

    0
    Comment actions Permalink
  • Kourtney

    Hello All- 

     

    Thank you to everyone that has shared their feedback on this thread. We've definitely heard you and have gone ahead and filed a feature request to the product team. You can track that request here (its currently awaiting approval but will be up soon) and I encourage you all to go give it up an upvote! 

     

    Best, 

    Kourtney 

    0
    Comment actions Permalink

Please sign in to leave a comment.