Error: grant credentials are invalid
AnsweredHi,
I have created a client grant type application.
When trying to connect to it, I'm getting following error
curl --location --request POST 'https://api.box.com/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=1ef9ltqp9f9ftv4dydqjius4w20072rc' \
--data-urlencode 'client_secret=XXXX' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'box_subject_type=user' \
--data-urlencode 'box_subject_id=2635723082'
I have seen previous posts about this issue. Would you please help us here?
Thanks,
-
Official comment
Hello,
Which application access level has been selected? If you have a user id that isn't the service account or app user, this won't work. Here is some documentation that describe this.
Thanks,
Alex, Box Developer Advocate
Comment actions -
Hi Alex,
Thank you for getting back to us. Sorry for the confusion in the post above.
Our app's access level is "App + Enterprise"
And we also tested the command below
curl --location --request POST 'https://api.box.com/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=1ef9ltqp9f9ftv4dydqjius4w20072rc' \
--data-urlencode 'client_secret=XXXX' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'box_subject_type=enterprise' \
--data-urlencode 'box_subject_id=575619'But still get an error saying
{"error":"invalid_grant","error_description":"Grant credentials are invalid"}
We saw bunch of posts about Box's bug on this behaviour. https://support.box.com/hc/en-us/community/posts/1500000868842-Error-Grant-credentials-are-invalid
Would you mind checking our app so we could use `grant_type=client_credentials` please?
Kevin
-
Looks like the client id was not effected by the bug. So, we are good there.
I verified your app settings compared to one of my test ones and they are the same.... my calls to get a token work. When you changed your app access to app + enterprise did you reauthorize the application in the admin console?
-
curl --location --request POST 'https://api.box.com/oauth2/token' \--header 'Content-Type: application/x-www-form-urlencoded' \--data-urlencode 'client_id=<client_id>' \--data-urlencode 'client_secret=<secret>' \--data-urlencode 'grant_type=client_credentials' \--data-urlencode 'box_subject_type=enterprise' \--data-urlencode 'box_subject_id=<enterprise_id>'yes... this is the code I'm running to get a token... the parts in <> needs to be replaced with your information
-
Hi Alex,
Thanks for your confirmation. We are having an issue with our institution authorizing our app. Does the "refresh access token" mechanism also require app authorization by admin?
https://developer.box.com/reference/post-oauth2-token--refresh/
-
No. I meant the stand OAuth 2.0 kind. The type described here. If you need access to content across the enterprise, you will need to have the admin authorize it. Do you all have an internal process for approving applications?
-
I would actually use a JWT app for this... not Oauth 2.0 or Client Cred. If you need to grab information owned by multiple users, then yes. The application needs to be approved by an admin of the Box instance.
Client cred is great for quick and dirty authentication, but it is not the most secure and doesn't have support in the sdk libraries.
-
No. In order to user Oauth or Client Cred one user needs to have access to all the content in the Box folder(s) you are trying to access. With oauth - its the user you authenticate with. With Client Cred - its the service account that get created once the admin approves the application.
Please sign in to leave a comment.
Comments
14 comments