Level up your Box knowledge with brand new learning paths on Box University. Visit training.box.com to get started

Re: How I can connect to OAuth2 from server-side script (without internet browser)?

New post

Comments

11 comments

  • joexpert

    Hey Tony....when I follow your steps. I keep  getting

     

    curl https://app.box.com/api/oauth2/token...

     

    response:

    {

    • error: "invalid_grant",
    • error_description: "The authorization code has expired"

    }

     

    I've made sure the to POST it (I did via

    I've also recreated the "client_secret" for my app (and then reran  "Authorization Code" step).

    Each time same result "invalid_grant"

     

    Please help... 🙂

    Thanks,

    Joel

    0
    Comment actions Permalink
  • joexpert

    (I've already checked for "{" curly braces accidentally being used)

    according to this: 

    http://stackoverflow.com/questions/20937478/invalid-credentials-when-trying-to-obtain-box-api-tokens

     

    I need to setup certificate/security info.. do you have any help with that? 

     

     

    0
    Comment actions Permalink
  • joexpert

    Never mind...turns out I had an extra space in my "client_secret"

    0
    Comment actions Permalink
  • tony-at-box

    Hi Joel,

     

    Glad to hear that you were able to sort it out! 🙂

     

    -Tony

     

    0
    Comment actions Permalink
  • AakashRatkal

    Hi Tony,

    I went through the process you have described here. And I am able to make API calls using access tokens. Thank you very much for that. My question is, Can we bypass the manual grant access option by using enterprise SSO credentials? Or add users to my app in bulk without user actually doing it (With the Enterprise Administration Access)?

    Thank you for your response.

    0
    Comment actions Permalink
  • sudhavasiraju

    Hi Tony

      Thank you for your detailed explanation. I followed those steps and able to access with retrieved access token. But, if I want to implement complete server-side solution without user interaction, as per my understanding, I need to save Access token and Refresh token on some flat file/DB (considering server downtime) and use refresh method every time by setting those values back to api connection. Is that correct? Or is there any otherway of doing it?

     

    Thanks

    Sudhakar

    0
    Comment actions Permalink
  • setu01

    ok so there are couple more issues with this process though. You can keep your token and refresh token working for you as long as you have your application up and running, but as soon as you restart your application, it looses everything and you have to start all over again with browser login and grant permission. Also, second issue is that, if user that granted a permission, if their password expires, then it starts failing and you will have to have them login again and grant permission. There is just so many manual step involved unlike other saas provider like salesforce or netsuite does. Am I wrong on any of these?

     

    thanks

    -Samir

    0
    Comment actions Permalink
  • finkej1

    I do our user provisioning from a set of Oracle APEX apps.  Each call to the BOX API has the following call to set up the authentication (these happen to be for Oracle PL/SQL routines, but might be useful as a model)

     

    apex_web_service.g_request_headers.delete; -- Make sure we are clean
    apex_web_service.g_request_headers(1).name := 'Authorization';
    apex_web_service.g_request_headers(1).value := 'Bearer ' || Oauth_Maint.Get_Access_Token;

     

    Which brings us back to the "Get_Access_Token" function, which looks like:

     

    function Get_Access_Token(interface_name in varchar2 default 'BOX_Provision')
    return varchar2
    is
    sys sys_rec;
    time_left number;
    result varchar2(255);
    pragma autonomous_transaction;
    begin
    --
    -- Might want to consider doing an interface check here. Lets assume
    -- it was done at a higher level for now
    sys := sys_by_system_name(interface_name);
    if sys.system_name is null
    then
    raise_application_error(-20101,'Get_Access_Token - System name "' || interface_name || '" is not found.');
    end if;
    time_left := ( sys.access_expire - sysdate ) * 24 * 60; -- time left in minutes
    if nvl(time_left,0) < 2
    then
    result := Refresh_Token(sys);
    commit;
    return result;
    end if;

    --
    -- Now get the saved token
    sys.last_access := sysdate;
    sys := update_sys(sys);
    commit;
    return get_token(sys.token_directory, sys.system_name, Access_Suffix);
    end Get_Access_Token;

     

    The "sys_XXX" are a set of PL/SQL routines that provide access to a simple table that basically record the last time we refreshed a token.  If the token is "recent" enough, we return it, otherwise we record the "last access time" and get the Tokens from the database.  Note - the tokens are actually stored as files on the database server.

     

    This setup has been working since the fall, and as long as someone makes a BOX request at least once every 60 days, the token will be refreshed.  Since we syncronize groups a couple of times a day.

     

    If you are interested in seeing the full PL/SQL package, send an email to ***email address removed for privacy*** and ask for the "OAUTH_Maint" package, and I will send it back to you.

     

    0
    Comment actions Permalink
  • Tony58

    Is it still the case or has it been updated? (Server side script without internet browser)

    0
    Comment actions Permalink
  • Stan_

    Is this not valid anymore? I'm not getting "Authorization Code" on step #2, it just redirects me to "https://hidden.app.box.com/folder/0"

    0
    Comment actions Permalink
  • Stan_

    I ended up using the following automated script for OAuth 2.0 with bash. If somebody interested: https://github.com/rooty0/box-oauth-uploader

    0
    Comment actions Permalink

Please sign in to leave a comment.