Hi,
I have a question regarding OAuth authentication in Box. Currently, we are using the Splunk Add-on for Box, and I am trying to configure the account using OAuth to collect file and folder metadata.
I have configured an account using OAuth in the add-on to collect file and folder metadata. I have created a Client ID and Client Secret from one Box account and added these credentials in the Splunk Add-on for authentication. During the authentication process, the add-on redirects me to Box to authorize the request.
However, I noticed that if I log in with a different Box account during authorization, the add-on still allows me to save the account without verifying whether the provided Client ID belongs to the logged-in Box account. As a result, the metadata retrieved for files and folders corresponds to the account used during authentication rather than the account from which the Client ID and Client Secret were generated.
I would like to confirm whether this behavior is expected. Shouldn't the authentication process validate that the Client ID belongs to the logged-in account?
For reference, the Splunk add-on for Box uses the following APIs for authentication and metadata retrieval:
- OAuth2 Token API
- Get Folder Metadata API
(FYI, Splunk add-on for BOX used the box SDKs to make this API calls)
Any insights or clarification on this behavior would be greatly appreciated!
Thanks!
