Open app integration via box returns 403

Can you give us a bit more context on this?

index.php? are you trying to interact directly with the Box app?

What are you trying to achieve here?

Cheers

The app is an integration, so we can open files from Box UI into our webapp like this right click on file → integrations → [App name].

This opens a new tab with a url looking like this:

https://app.box.com/services/[...]?node_type=file

That webpage has an iframe that has a src that includes index.php, looking like this:

https://app.box.com/index.php?rm=box_openbox_post_form&url=[AUTH_ENDPOINT?auth_code=...&file_id=..&user_id=...]&service_action_id=[...]&rm=box_openbox_post_form

But the above url returns 403 and never calls the auth endpoint specified in its query parameter. I’ve tested the auth endpoint by manually calling it and it returns a redirect to the webapp and can authenticate against Box.

Sorry i’m not very familiar with this, i haven’t developed the app i just know it worked before. Let me know if you need any further information.

Thanks!

@user101 , don’t be sorry at all.

I’m also unfamiliar with this. Let me see if I can find someone to help.

@user101

So my folks are telling me the following:

• The redirect is expected if that is an OAuth APP


• Can you make sure that the way you are obtaining the token is the exact same way (meaning the exact same security context) that the one obtained via the Iframe? The token generated by your app may not have the same permissions/shares relative to the token you obtained manually.


• They also mentioned that there is a app diagnostic tool, so you can pull up the 403 error and send the request id to support to dig into the backend.

Let us know if this helps.

@rbarbosa thank you for looking into it!

• 
  

  Ok 👍 it seems like our Client Callback URL redirect to our app and passing along the auth code and then the app handles the authentication from the client. So what I said above that the iframe calls the auth point and then redirect wasn’t completely correct. So the problem is parhaps not related to authentication, but rather that the redirect from the client callback url is not passed back from the backend to the client?

  
  


• 
  

  Yes, i do use the same token. When doing it manually I copy the url query parameter in the iframe src and run this curl command: curl -v -X POST $url-from-iframe-src and that returns a 301 with a redirect to our app that I open in the browser, which then successfully authenticates against box. Obs the $url-from-iframe-src needs to be url decoded before running the command.

  
  


• 
  

  Is that the “App Diagnostics” tool in the dev console? I tried running that with different timespans but i could not get it to work, it displays this error message:

  
  

Cheers!

Hi @user101

Gustaf, with my limited knowledge in this area, at this point I’m going to ask you to open a support case.

They will be able to trace the 403 error from the request and identify it’s source.

Sorry I can’t be of further assistance.

Cheers

Hey @rbarbosa Ok, sounds like a good way forward. Thanks and cheers!

Hi @user101

Gustaf, my folks are telling me the issue has been resolved.

I wasn’t able to follow up all the interactions, but if you think the end result can help others, and you’re comfortable sharing the info, feel free to add a summary here.

Cheers

Thank you Gustaf, I’ll mark your post as solution.

Cheers