On Mobile (PWA) app, Unable to login via Box's OAuth2 when account has 2FA enabled

Preconditions

• Box account has 2FA enabled
• User is on Mobile device

Problem:

We have a PWA with Box's OAuth2 login integration. It works OK on desktop browsers. But it doesn't work on Mobile devices.

1. To login via Box, it opens GET https://www.box.com/api/oauth2/authorize?response_type=code&client_id=XYZ
2. User types in Email and Password
3. User is now asked to enter the OTP received on Phone.
4. User is now landed to 404 page.

Problem:

On step 1, it sets "site_preference=mobile" cookie.

On step 2, after entering credentials, it sends POST https://app.box.com/api/oauth2/authorize?response_type=code&client_id=XYZ, which has a response header for

set-cookie: box_redirect_url=https%3A%2F%2Fm.box.com%2Fapi%2Foauth2%2Fauthorize%3Fresponse_type%3Dcode%26client_id%XYZ

Notice the domain is "m.box.com", instead of expected "app.box.com" probably.

On Step 4, URL is https://m.box.com/api/oauth2/authorize?response_type=code&client_id=XYZ, which throws 404.

If I just change the step4 URL to https://app.box.com/api/oauth2/authorize?response_type=code&client_id=XYZ, it would now ask me to Grant access and upon granting access, I would be logged in to our application.

Note:

Above same works OK if access from Desktop browser OR user doesn't have 2FA enabled.