Setting up Postman with Box JWT Server Authentication

Follow
New post
Kevin Lu

Hello all! 

I'm a web developer at the Univ of Arizona and am trying to set off a manual Box Relay to automate tasks for our staff in College of Humanities (COH).

I am trying to set up Postman to work with our app that's OAuth 2.0 with JWT (Server Authentication). So far: 

When I hit "Get New Access Token", i get the following on my browser:

I get the sense that maybe for JWT, though, I'm not supposed to authenticate this way / i'm doing something wrong. If anyone has information on how to connect Postman to Box API using JWT, that would be super super helpful.

0

Comments

14 comments

Date Votes
  • Alex Novotny

    Hey Kevin, 

    With JWT, its a little different. In Postman, you'll want to use your developer token. Go to the developer console where you made your application. Generate a developer token. After that, you can use that token in the Postman app like below. 

    0
    Comment actions Permalink
  • Aziz, Jehan

    Hi Alex,

    Your suggesting is good for testing, but how would I put this into production with automation? I want to be able to request a token from the Box application programmatically. It seems like the Request access token endpoint is what I would use, but have not been successful at providing all of the required fields.
    Thanks for your help.

    0
    Comment actions Permalink
  • Alex Novotny

    Hi Jehan! 

    Are you getting a specific error? May I see the parameters you are sending in? 

    Alex

    0
    Comment actions Permalink
  • saumya sharma

    Hi Alex , 

    I am sending a post request with grant type ,client id and assertion in the body but getting error 'wrong number of segments'. Could you please share what should a correct request look like?

    0
    Comment actions Permalink
  • Alex Novotny

    Hello, 

    I would go through our quick start in the developer documentation - this flow will set up token request flow automatically in Postman. 

    https://developer.box.com/guides/tooling/postman/quick-start/

    0
    Comment actions Permalink
  • saumya sharma

    Hi , I did follow the steps but i get the same error. Please help.

     

    0
    Comment actions Permalink
  • Alex Novotny

    I just followed the quick start guide again to confirm, and I'm not seeing any issues.Can you share a screenshot of the error you are seeing? 

    0
    Comment actions Permalink
  • saumya sharma

    Thanks for the quick response. I am trying to fetch the 'access token' using the jwt assertion token .

     

     

    0
    Comment actions Permalink
  • Alex Novotny

    Ah - I see. Yes. The quick start was meant for using an OAuth 2.0 connection - not JWT. I believe you also need to send in your client secret? 

    0
    Comment actions Permalink
  • Alex Novotny

    0
    Comment actions Permalink
  • Alex Novotny

    You can use the code here to create the assertion you send in as well! Just log the assertion and comment out the code where it is making the token. 

    0
    Comment actions Permalink
  • saumya sharma

    Hi I am unable to create the assertion using the above code. Could you please let me know the steps you followed for the same.

    Additionally - what is the private key format that is created in the developer console. It doesnt seems to be base64 or PEM.

    0
    Comment actions Permalink
  • Alex Novotny
    • Edited
    const fs = require('fs')
    const crypto = require('crypto')
    const jwt = require('jsonwebtoken')

    const config = JSON.parse(
    fs.readFileSync('PATH_TO_FILE')
    )

    let run = async () => {
    // In node we don't need to manually decrypt the
    // key, as the JWT library can handle this for us
    letkey= {
    key: config.boxAppSettings.appAuth.privateKey,
    passphrase: config.boxAppSettings.appAuth.passphrase
    }

    // We will need the authenticationUrl again later,
    // so it is handy to define here
    constauthenticationUrl='https://api.box.com/oauth2/token'

    letclaims= {
    'iss': config.boxAppSettings.clientID,
    'sub': config.enterpriseID,
    'box_sub_type': 'enterprise',
    'aud': authenticationUrl,
    // This is an identifier that helps protect against
    // replay attacks
    'jti': crypto.randomBytes(64).toString('hex'),
    // We give the assertion a lifetime of 45 seconds
    // before it expires
    'exp': Math.floor(Date.now() /1000) +45
    }

    letkeyId=config.boxAppSettings.appAuth.publicKeyID

    // Rather than constructing the JWT assertion manually, we are
    // using the jsonwebtoken library.
    letassertion= jwt.sign(claims, key, {
    // The API support "RS256", "RS384", and "RS512" encryption
    'algorithm': 'RS512',
    'keyid': keyId,
    })
    console.log(assertion)
    }

    run()
    0
    Comment actions Permalink
  • Alex Novotny

    That is the block of code I used.... it uses RS512. 

    0
    Comment actions Permalink

Please sign in to leave a comment.