Hi,

I have a question regarding OAuth authentication in Box. Currently, we are using the Splunk Add-on for Box, and I am trying to configure the account using OAuth to collect file and folder metadata.

I have configured an account using OAuth in the add-on to collect file and folder metadata. I have created a Client ID and Client Secret from one Box account and added these credentials in the Splunk Add-on for authentication. During the authentication process, the add-on redirects me to Box to authorize the request.

However, I noticed that if I log in with a different Box account during authorization, the add-on still allows me to save the account without verifying whether the provided Client ID belongs to the logged-in Box account. As a result, the metadata retrieved for files and folders corresponds to the account used during authentication rather than the account from which the Client ID and Client Secret were generated.

I would like to confirm whether this behavior is expected. Shouldn't the authentication process validate that the Client ID belongs to the logged-in account?

For reference, the Splunk add-on for Box uses the following APIs for authentication and metadata retrieval:

• OAuth2 Token API
• Get Folder Metadata API
  
  (FYI, Splunk add-on for BOX used the box SDKs to make this API calls)

Any insights or clarification on this behavior would be greatly appreciated!

Thanks!