Level up your Box knowledge with brand new learning paths on Box University. Visit training.box.com to get started

Box Status

OAuth Confusion and POSTMAN

Follow
New post
Box Product Support

Hi, a few questions about authorization in Box

 

  • Is there a way to use POSTMAN to GET the developer's token and/or the OAuth token?
    • I traced the GET request when you manually request the developer's token from the web integration page but was unable to replicate it using POSTMAN. 
    • I found a blog post from years ago about using POSTMAN for OAuth, but the video itself was no longer present on the page so I was unable to see the tutorial.
  • Is it possible to use OAuth even if you haven't published your web application yet?
    • If so, once you have obtained your initial token, can you automatically refresh the token from the code (using the appropriate REST calls) rather than having to manually go through to refresh that token?
    • What happens when the refresh token expires? I assume you just begin again as if you did not have a token previously.

Sorry for all the questions. I am new to Box!

Thank you!

0

Comments

3 comments

Date Votes
  • Bibek

    Hi there,

    First step of OAuth2 process is to obtain "authorization_code" after user authenticates from the browser which you cannot do from POSTMAN (as far as I know). POSTMAN is used to obtain access tokens when you complete the first step in browser. However, you do not need to have published web application to do tha. You could use "localhost" or even better your box url. " .app.box.com" as a redirect URL. Both URLs must match in order for this to work. 

    • First step is to use this request in a browser
      https://app.box.com/api/oauth2/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&state=security_token%3DKnhMJatFipTAnM0nHlZA
    • use "localhost" or ".app.box.com"  in the redirect URL
    • If the config is correct, it should present you the login screen . provide uname and password
    • as soon as you authorize the application, it will redirect to the redirect URL appended with the "code" at the end of the URL.  e.g. 
      YOUR_REDIRECT_URI?code=THE_AUTHORIZATION_CODE
    • Now you have 30 seconds to use that AUTHORIZATION CODE to use in POSTMAN  to do the following request:
      curl https://api.box.com/oauth2/token \
-d 'grant_type=authorization_code&code=YOUR_AUTH_CODE&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET' \
-X POST
    • YOUR_AUTH_CODE is the auth code that is appended in the URL in previous step
    • Now  that will get you the Access Token and Refresh token . 
    • And since Access token last 1 hour you should get new one with a new call  . this time grant_type will be REFRESH_TOKEN.  Last time it was authorization_code.
      curl https://api.box.com/oauth2/token \ -d 'grant_type=refresh_token&refresh_token={valid refresh token}&client_id={your_client_id}&client_secret={your_client_secret}' \ -X POST
    • Now the process is same with the code as well. Same way you impelement in POSTMAN

    Please see this link for more details:

    OAuth2 Detail

     

    I hope this helps.

     

    thanks,

    Bibek

    0
    Comment actions Permalink
  • Murtza

    Here is the video showing how to use Postman with Box's OAuth process.

     

    0
    Comment actions Permalink
  • DimitrisT

    I keep getting error 400 in the second part (the Postman POST to get the token and the refresh) - 

    This is my POST:

    https://api.box.com/oauth2/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&redirect_uri=https://localhost&code=zMMTMQt86KF2ocKShyrYzMLvkmUhGEyJ&grant_type=authorization_code

    Any pointers, please?

     

    Thank you

    Dimitris

    0
    Comment actions Permalink

Please sign in to leave a comment.