Please check the 'sub' claim. The 'sub' specified is invalid Error

Hello 👋,

You might double check via the information on this page. I think you are missing the box_sub_type variable.

Thanks,

Alex, Box Developer Advocate 🥑

Sorry, I wasnt able to follow that. Is there a reason why you suggested me to look at “JWT without SDKs”? I had been trying to authenticate using “JWT with SDKs” all this while. Do you have any sample python script on how to read the folders in Box if I use “JWT without SDKs” for authentication?

my apologies. you are right! Normally when I see the sub error its due to some issue when coding without using the sdks.

do you mind sharing the client id with me?

No problem. The ID is eier6omdhmug8wz0in9i3i4ziza8ye8k

I will test out your code locally and see if I get anything different. I’ll report my results after I finish.

I have same problem statement. My request fails with {‘error’: ‘invalid_grant’,

‘error_description’: "Please check the ‘sub’ claim. The ‘sub’ specified is "

‘invalid.’} My enterprise ID is zero.

Hi rajeev2186,

In order to use applications with authentication types other than OAuth 2.0, you’d need to have a paid enterprise account. Free accounts do not have access to other authentication methods. We are working on launching our new free devleoper accounts in the near future.

Thanks,

Alex

Hi @Joy

From a python and Box SDK perspective, your code works flawlessly, so it must be permission, @smartoneinok is following up with you.

I just wanted to give you a tip relative to the construction of the JWTAuth.

You do not need to build it manually just to use an user.

If you need to authenticate a user from a JWTAuth object, you can re-use the settings, and just call the .authenticate_user(xyx) passing either a user_id or a User object.

Consider this sample:

""" Demo on using user identification on a JWT application"""



from typing import Union

from boxsdk import JWTAuth, Client

from boxsdk.object.user import User



USER_ID = "18622116055"

APP_USER_ID = "29599235430"



def get_client_user(user: [Union[str, "User"]]) -> Client:

    """Get client user"""

    auth = JWTAuth.from_settings_file(".config.json")

    auth.authenticate_user(user)

    return Client(auth)





def get_client_enterprise() -> Client:

    """Get client enterprise"""

    auth = JWTAuth.from_settings_file(".config.json")

    # auth.authenticate_instance() # by default it authenticates the enterprise

    return Client(auth)





def main():

    client_enterprise = get_client_enterprise()

    me = client_enterprise.user(user_id="me").get()

    print(f"Service Account: {me.id} {me.name} {me.login}")



    client_user = get_client_user(USER_ID)

    me = client_user.user(user_id="me").get()

    print(f"User Account: {me.id} {me.name} {me.login}")



    app_user = client_enterprise.user(user_id=APP_USER_ID).get()

    client_user_app = get_client_user(app_user)

    me = client_user_app.user(user_id="me").get()

    print(f"App User Account: {me.id} {me.name} {me.login}")





if __name__ == "__main__":

    main()

Results in:

Service Account: 20344589936 UI-Elements-Sample AutomationUser_1841316_RbcnIM9B2l@boxdevedition.com

User Account: 18622116055 Rui Barbosa barduinor@gmail.com

App User Account: 29599235430 Test APP User AppUser_1841316_afcI7DCbFn@boxdevedition.com

Cheers

Thank you for all the replies. The fix was simple. I shouldnt be using both Service account and app user to authenticate. The sample available in Git might have misled me.

from boxsdk import JWTAuth, Client



auth = JWTAuth.from_settings_file('./settings_config.json')

service_account_client = Client(auth)

The above code helped me connect to Box and see the folders and files as an enterprise user. The below code was NOT necessary.

app_user = service_account_client.user(user_id='xxxx')



app_user_auth = JWTAuth(

    client_id=config_json['boxAppSettings']['clientID'],

    client_secret=config_json['boxAppSettings']['clientSecret'],

    user=app_user,

    jwt_key_id=config_json['boxAppSettings']['appAuth']['publicKeyID'],

    rsa_private_key_data= config_json['boxAppSettings']['appAuth']['privateKey'],

    rsa_private_key_passphrase=config_json['boxAppSettings']['appAuth']['passphrase'],

    enterprise_id=config_json["enterpriseID"]

)

app_user_auth.authenticate_user()

app_user_client = Client(app_user_auth)

Thanks for reporting back! I thought we tried that on the phone yesterday? Did you change something else after?

Yes, We tried that yesterday but for some reason it didnt work. I created a new python environment and reinstalled the boxsdk library, after that service account client authentication worked just fine (but not mix of both authentications).