Skip to main content

OAuth fails with 2-step authentication

OAuth fails with 2-step authentication
T
  • tobias
  • New Participant
  • 3 replies

Hello,

2-step authentication causes the OAuth 2 flow to fail. There’s also a 404 error. This problem is completely new and was reported to me yesterday.

image

Did this topic help you find an answer to your question?

6 replies

T
  • tobias
  • Author
  • New Participant
  • 3 replies
  • August 9, 2023

The problem is that there is a URL using box.net rather than box.com. I can work around it by changing it in the browser’s address bar, then opening that page. I will get two SMS messages, but the second one works.

rbarbosa Box
  • rbarbosa Box
  • Developer Advocate
  • 553 replies
  • August 9, 2023

Hi Tobias, welcome to the community!


Thanks for reporting this.


Can you elaborate a bit more and describe the steps to get to that error?


I can’t recognize where the error is coming from.


Cheers

T
  • tobias
  • Author
  • New Participant
  • 3 replies
  • August 9, 2023

Hello,

when a desktop application starts the OAuth process by opening the initial OAuth URL in the web browser, the URL is similar to this:

https://api.box.com/oauth2/authorize?state=5412xxxxxxxx---etc---


On an account with 2-step auth, the user gets redirected to an URL similar to the following, after entering the user name and password:

https://app.box.net/api/oauth2/authorize?state=541288xxxxxxxx---etc---


Ouch! That should be box dot com, not box dot net.


Ultimately, after entering the Oauth code from the SMS, the process cannot get any further because of the wrong domain.

rbarbosa Box
  • rbarbosa Box
  • Developer Advocate
  • 553 replies
  • August 9, 2023

Hi @tobias


When you say a desktop application, what do you mean, which application?


I’ve tried to replicate this…


Login screen:

image


2FA Screen:

image


Grant access screen:

image


Callback screen (my app):

image


The URL’s of the different screens do not match yours, so can you add some more details how you got here?


Cheers

T
  • tobias
  • Author
  • New Participant
  • 3 replies
  • August 9, 2023

Hello,

my application uses the older URL api.box.com/oauth2/authorize rather than account.box.com/api/oauth2/authorize. If you use this older URL, you will see the error.


This worked fine until a few days ago.


Of course I’ll update the app, but either this URL is allowed or not, it should not fail like that. And if you no longer use box dot net, then you should look through all source codes and scripts and update all occurrences. There’s definitely some code that leads the user to box dot net somewhere on your servers.

rbarbosa Box
  • rbarbosa Box
  • Developer Advocate
  • 553 replies
  • August 9, 2023

Makes sense for sure, @tobias


I’ve check the documentation that I found to be related to this, and I can’t find a reference to that end point. I’m assuming its something older that got update din the mean time, or it might be used by our web app and not intended to be used by external apps.


I’ll ping the internal teams to see if they can find something.


Anyway thanks for spotting this, we appreciate it!

Reply


Most helpful members this week

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings