Skip to main content

Please check the 'sub' claim. The 'sub' specified is invalid Error


  • New Participant
  • 4 replies

I have a new Box account. I created a new Box app from the developer console to process files stored in Box using a Python script. But the app_user_auth.authenticate_user() step is failing with below error


**BoxOAuthException**: Message: Please check the 'sub' claim. The 'sub' specified is invalid. 

Status: 400 

URL: https://api.box.com/oauth2/token 

Method: POST


My python code looks like below


from boxsdk import JWTAuth, Client

import json



with open('./settings_config.json','r') as file:

    config_json = json.load(file)



auth = JWTAuth.from_settings_dictionary(config_json)

service_account_client = Client(auth)

app_user = service_account_client.user(user_id='xxxx')



app_user_auth = JWTAuth(

    client_id=config_json['boxAppSettings']['clientID'],

    client_secret=config_json['boxAppSettings']['clientSecret'],

    user=app_user,

    jwt_key_id=config_json['boxAppSettings']['appAuth']['publicKeyID'],

    rsa_private_key_data= config_json['boxAppSettings']['appAuth']['privateKey'],

    rsa_private_key_passphrase=config_json['boxAppSettings']['appAuth']['passphrase'],

    enterprise_id=config_json["enterpriseID"]

)

app_user_auth.authenticate_user()

app_user_client = Client(app_user_auth)


and my settings_config json file looks like this


{

  "boxAppSettings": {

    "clientID": "xxxxxxxxx",

    "clientSecret": "xxxxxxxxx",

    "appAuth": {

      "publicKeyID": "xxxxxxx",

      "privateKey": "-----BEGIN ENCRYPTED PRIVATE KEY----- xxxxxxxxx",

      "passphrase": "xxxxxx"

    }

  },

  "enterpriseID": "xxxxx"

}


Please help me with a resolution. I have a valid enterprise ID here as I am using my employer’s account.

11 replies

smartoneinok Box
Forum|alt.badge.img
  • Senior Developer Advocate
  • 181 replies
  • October 24, 2023

Hello 👋,


You might double check via the information on this page. I think you are missing the box_sub_type variable.


Thanks,

Alex, Box Developer Advocate 🥑


  • Author
  • New Participant
  • 4 replies
  • October 24, 2023

Sorry, I wasnt able to follow that. Is there a reason why you suggested me to look at “JWT without SDKs”? I had been trying to authenticate using “JWT with SDKs” all this while. Do you have any sample python script on how to read the folders in Box if I use “JWT without SDKs” for authentication?


smartoneinok Box
Forum|alt.badge.img
  • Senior Developer Advocate
  • 181 replies
  • October 24, 2023

my apologies. you are right! Normally when I see the sub error its due to some issue when coding without using the sdks.


do you mind sharing the client id with me?


  • Author
  • New Participant
  • 4 replies
  • October 24, 2023

No problem. The ID is eier6omdhmug8wz0in9i3i4ziza8ye8k


smartoneinok Box
Forum|alt.badge.img
  • Senior Developer Advocate
  • 181 replies
  • October 24, 2023

I will test out your code locally and see if I get anything different. I’ll report my results after I finish.


  • New Participant
  • 3 replies
  • October 25, 2023

I have same problem statement. My request fails with {‘error’: ‘invalid_grant’,

‘error_description’: "Please check the ‘sub’ claim. The ‘sub’ specified is "

‘invalid.’} My enterprise ID is zero.


smartoneinok Box
Forum|alt.badge.img
  • Senior Developer Advocate
  • 181 replies
  • October 25, 2023

Hi rajeev2186,


In order to use applications with authentication types other than OAuth 2.0, you’d need to have a paid enterprise account. Free accounts do not have access to other authentication methods. We are working on launching our new free devleoper accounts in the near future.


Thanks,

Alex


rbarbosa Box
  • Developer Advocate
  • 553 replies
  • October 25, 2023

Hi @Joy


From a python and Box SDK perspective, your code works flawlessly, so it must be permission, @smartoneinok is following up with you.


I just wanted to give you a tip relative to the construction of the JWTAuth.

You do not need to build it manually just to use an user.


If you need to authenticate a user from a JWTAuth object, you can re-use the settings, and just call the .authenticate_user(xyx) passing either a user_id or a User object.


Consider this sample:


""" Demo on using user identification on a JWT application"""



from typing import Union

from boxsdk import JWTAuth, Client

from boxsdk.object.user import User



USER_ID = "18622116055"

APP_USER_ID = "29599235430"



def get_client_user(user: [Union[str, "User"]]) -> Client:

    """Get client user"""

    auth = JWTAuth.from_settings_file(".config.json")

    auth.authenticate_user(user)

    return Client(auth)





def get_client_enterprise() -> Client:

    """Get client enterprise"""

    auth = JWTAuth.from_settings_file(".config.json")

    # auth.authenticate_instance() # by default it authenticates the enterprise

    return Client(auth)





def main():

    client_enterprise = get_client_enterprise()

    me = client_enterprise.user(user_id="me").get()

    print(f"Service Account: {me.id} {me.name} {me.login}")



    client_user = get_client_user(USER_ID)

    me = client_user.user(user_id="me").get()

    print(f"User Account: {me.id} {me.name} {me.login}")



    app_user = client_enterprise.user(user_id=APP_USER_ID).get()

    client_user_app = get_client_user(app_user)

    me = client_user_app.user(user_id="me").get()

    print(f"App User Account: {me.id} {me.name} {me.login}")





if __name__ == "__main__":

    main()




Results in:


Service Account: 20344589936 UI-Elements-Sample AutomationUser_1841316_RbcnIM9B2l@boxdevedition.com

User Account: 18622116055 Rui Barbosa barduinor@gmail.com

App User Account: 29599235430 Test APP User AppUser_1841316_afcI7DCbFn@boxdevedition.com


Cheers


  • Author
  • New Participant
  • 4 replies
  • October 27, 2023

Thank you for all the replies. The fix was simple. I shouldnt be using both Service account and app user to authenticate. The sample available in Git might have misled me.




from boxsdk import JWTAuth, Client



auth = JWTAuth.from_settings_file('./settings_config.json')

service_account_client = Client(auth)


The above code helped me connect to Box and see the folders and files as an enterprise user. The below code was NOT necessary.


app_user = service_account_client.user(user_id='xxxx')



app_user_auth = JWTAuth(

    client_id=config_json['boxAppSettings']['clientID'],

    client_secret=config_json['boxAppSettings']['clientSecret'],

    user=app_user,

    jwt_key_id=config_json['boxAppSettings']['appAuth']['publicKeyID'],

    rsa_private_key_data= config_json['boxAppSettings']['appAuth']['privateKey'],

    rsa_private_key_passphrase=config_json['boxAppSettings']['appAuth']['passphrase'],

    enterprise_id=config_json["enterpriseID"]

)

app_user_auth.authenticate_user()

app_user_client = Client(app_user_auth)


smartoneinok Box
Forum|alt.badge.img
  • Senior Developer Advocate
  • 181 replies
  • October 27, 2023

Thanks for reporting back! I thought we tried that on the phone yesterday? Did you change something else after?


  • Author
  • New Participant
  • 4 replies
  • October 27, 2023

Yes, We tried that yesterday but for some reason it didnt work. I created a new python environment and reinstalled the boxsdk library, after that service account client authentication worked just fine (but not mix of both authentications).


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings