Error: grant credentials are invalid

Answered
New post

Comments

14 comments

  • Official comment
    Alex Novotny

    Hello, 

    Which application access level has been selected? If you have a user id that isn't the service account or app user, this won't work. Here is some documentation that describe this. 

    Thanks, 

    Alex, Box Developer Advocate

    Comment actions Permalink
  • Kevin Cho

    Hi Alex,

     

    Thank you for getting back to us. Sorry for the confusion in the post above.

    Our app's access level is "App + Enterprise"

    And we also tested the command below

    curl --location --request POST 'https://api.box.com/oauth2/token' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'client_id=1ef9ltqp9f9ftv4dydqjius4w20072rc' \
    --data-urlencode 'client_secret=XXXX' \
    --data-urlencode 'grant_type=client_credentials' \
    --data-urlencode 'box_subject_type=enterprise' \
    --data-urlencode 'box_subject_id=575619'

     

    But still get an error saying

    {"error":"invalid_grant","error_description":"Grant credentials are invalid"}

     

     

    We saw bunch of posts about Box's bug on this behaviour. https://support.box.com/hc/en-us/community/posts/1500000868842-Error-Grant-credentials-are-invalid

    Would you mind checking our app so we could use `grant_type=client_credentials` please?

     

    Kevin

    0
    Comment actions Permalink
  • Alex Novotny

    Looks like the client id was not effected by the bug. So, we are good there. 

    I verified your app settings compared to one of my test ones and they are the same.... my calls to get a token work. When you changed your app access to app + enterprise did you reauthorize the application in the admin console? 

     

     

    0
    Comment actions Permalink
  • Alex Novotny

    Also... try enterprise id 130718.....

    0
    Comment actions Permalink
  • Kevin Cho

    Hi Alex,

     

    Thanks for getting back to us quickly.

    Would you confirm that the app needs to be authorized to use the "grant_type=client_credentials" call through API please?

    130718 does not work as well.

    0
    Comment actions Permalink
  • Alex Novotny
    curl --location --request POST 'https://api.box.com/oauth2/token' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'client_id=<client_id>' \
    --data-urlencode 'client_secret=<secret>' \
    --data-urlencode 'grant_type=client_credentials' \
    --data-urlencode 'box_subject_type=enterprise' \
    --data-urlencode 'box_subject_id=<enterprise_id>'
     
    yes... this is the code I'm running to get a token... the parts in <> needs to be replaced with your information
    0
    Comment actions Permalink
  • Kevin Cho

    Hi Alex,

     

    Thanks for your confirmation. We are having an issue with our institution authorizing our app. Does the "refresh access token" mechanism also require app authorization by admin?

    https://developer.box.com/reference/post-oauth2-token--refresh/

     

    0
    Comment actions Permalink
  • Alex Novotny

    Yes. Any api endpoints require authorization by an admin... with exception of if your application is an OAuth2.0 app... 

    0
    Comment actions Permalink
  • Kevin Cho

    My application is OAuth 2.0 with Client Credentials Grant - does it mean this should work without admin authorization?

    0
    Comment actions Permalink
  • Alex Novotny

    No. I meant the stand OAuth 2.0 kind. The type described here. If you need access to content across the enterprise, you will need to have the admin authorize it. Do you all have an internal process for approving applications? 

    0
    Comment actions Permalink
  • Kevin Cho

    Thanks. Yes, there is an internal admin process for approving applications. What we want to do is, pull data from box to a linux server (without GUI), without having to insert developer token every hour. Do you think the only option is to get the app authorized?

    0
    Comment actions Permalink
  • Alex Novotny

    I would actually use a JWT app for this... not Oauth 2.0 or Client Cred. If you need to grab information owned by multiple users, then yes. The application needs to be approved by an admin of the Box instance. 

    Client cred is great for quick and dirty authentication, but it is not the most secure and doesn't have support in the sdk libraries. 

    0
    Comment actions Permalink
  • Kevin Cho

    Thanks- let me clarify.

    We need to grab information uploaded by multiple users to our box. Then the application needs to be approved by an admin of Box instance and we can use Oauth 2.0 or Client Cred. Correct?

    0
    Comment actions Permalink
  • Alex Novotny

    No. In order to user Oauth or Client Cred one user needs to have access to all the content in the Box folder(s) you are trying to access. With oauth - its the user you authenticate with. With Client Cred - its the service account that get created once the admin approves the application.

    0
    Comment actions Permalink

Please sign in to leave a comment.