Box OAuth2 asking "Grant access to box" page every time user log-in with box from same browser
I integrated Box and Google OAuth with my web application. Now users can successfully log-in with Box and Google.
But OAuth2 behaves differently for Box and Google
- Box will ask "Grant access to box" page every time while user log-in with box from same browser
- Google Grant access page will only ask when you log in for the first time
Is it a behavior of box?
or Do we need to enable any configuration?
-
Hi Boney,
Not really, the behaviour should be similar and as you described.
Not sure how your web application is working or even what stack you are using.
Typically, once you authorize the application, you get an access token valid for 60 minutes and a refresh token valid for 60 days.
When your access token is expired you use the refresh token to get a new pair, which is the typical OAuth2 behaviour.
Here is a very simple sample app done in python that illustrates this mechanic.
Let us know if this helps
-
Hi Rui Barbosa,
Thank you for your attention.
Sorry, I don't mean token management related things.
Note: My application name is ABC
Application ABC authentication flow is like this (Assume Box application is already login from same browser)
Load ABC login page -> click on Login with Box button -> Redirect to Grant access to box page -> click on Allow box access button -> Box generates ID token -> Application ABC creates custom JWT tokens (access token and refresh token) for internal use -> Click on logout buttonThen we tried again to login ABC using the box then we should follow all the above steps but case is different while we using Google or Facebook.
No need to allow grant access next time while we use Google or Facebook.Example:
Load ABC login page -> click on Login with Google button -> Redirect to Grant access page -> click on Allow google access button -> Google generates ID token -> Application ABC creates custom JWT tokens (access token and refresh token) for internal use -> Click on logout button
Then again we tried to login with google
Load ABC login page -> click on Login with Google button -> Google generates ID token -> Application ABC creates custom JWT tokens (access token and refresh token) for internal use -> .....
I hope situation is clear now.
Do we need Grant access to box every time? -
Hi Boney,
I think I understand your question now.
Box is not an identity provider like Google or Facebook, so login using Box authentication is not possible.
Box OAuth exists to provide your app user a way to access their resources at box, but not to login at your application.
Since you mentioned that you integrated Google authentication I was assuming the following user case.
User opens login page in ABC app, and clicks login using google.
The first time this happens ABC app authenticates the user via Google and also registers the user in it's database.
From this point on the user can login to ABC app using Google as an identity provider.
Now the user needs to access box content using his box account security context.
User is logged in to ABC app -> goes to page to integrate with box -> grants ABC app access to his account -> ABC app stores access token and refresh token locally under the user registration -> ABC app uses access token to access box API and get user content.
The second time the user logs in:
User opens ABC login page, click login using google -> ABC authenticates against google and logins user locally -> ABC app uses access token stored previously to access user content in box (no more authorization)
In this GitHub repo is an example of a sample app that illustrates this flow: https://github.com/box-community/ui-elements-oauth
The difference to your app is that it is not using google as an identity provider, so signup a user first and then login.
Registering a new user
Authorizing Box
Granting access
User logged in for the first time
User second login:
No need to re authorize the app
Hope this helps
サインインしてコメントを残してください。
コメント
3件のコメント