Skip to main content

I have a new Box account. I created a new Box app from the developer console to process files stored in Box using a Python script. But the app_user_auth.authenticate_user() step is failing with below error



**BoxOAuthException**: Message: Please check the 'sub' claim. The 'sub' specified is invalid. 

Status: 400

URL: https://api.box.com/oauth2/token

Method: POST



My python code looks like below



from boxsdk import JWTAuth, Client

import json



with open('./settings_config.json','r') as file:

config_json = json.load(file)



auth = JWTAuth.from_settings_dictionary(config_json)

service_account_client = Client(auth)

app_user = service_account_client.user(user_id='xxxx')



app_user_auth = JWTAuth(

client_id=config_json['boxAppSettings']['clientID'],

client_secret=config_json['boxAppSettings']['clientSecret'],

user=app_user,

jwt_key_id=config_json['boxAppSettings']['appAuth']['publicKeyID'],

rsa_private_key_data= config_json['boxAppSettings']['appAuth']['privateKey'],

rsa_private_key_passphrase=config_json['boxAppSettings']['appAuth']['passphrase'],

enterprise_id=config_json["enterpriseID"]

)

app_user_auth.authenticate_user()

app_user_client = Client(app_user_auth)



and my settings_config json file looks like this



{

"boxAppSettings": {

"clientID": "xxxxxxxxx",

"clientSecret": "xxxxxxxxx",

"appAuth": {

"publicKeyID": "xxxxxxx",

"privateKey": "-----BEGIN ENCRYPTED PRIVATE KEY----- xxxxxxxxx",

"passphrase": "xxxxxx"

}

},

"enterpriseID": "xxxxx"

}



Please help me with a resolution. I have a valid enterprise ID here as I am using my employer’s account.

Hello 👋,



You might double check via the information on this page. I think you are missing the box_sub_type variable.



Thanks,


Alex, Box Developer Advocate 🥑


Sorry, I wasnt able to follow that. Is there a reason why you suggested me to look at “JWT without SDKs”? I had been trying to authenticate using “JWT with SDKs” all this while. Do you have any sample python script on how to read the folders in Box if I use “JWT without SDKs” for authentication?


my apologies. you are right! Normally when I see the sub error its due to some issue when coding without using the sdks.



do you mind sharing the client id with me?


No problem. The ID is eier6omdhmug8wz0in9i3i4ziza8ye8k


I will test out your code locally and see if I get anything different. I’ll report my results after I finish.




I have same problem statement. My request fails with {‘error’: ‘invalid_grant’,


‘error_description’: "Please check the ‘sub’ claim. The ‘sub’ specified is "


‘invalid.’} My enterprise ID is zero.


Hi rajeev2186,



In order to use applications with authentication types other than OAuth 2.0, you’d need to have a paid enterprise account. Free accounts do not have access to other authentication methods. We are working on launching our new free devleoper accounts in the near future.



Thanks,


Alex


Hi @Joy



From a python and Box SDK perspective, your code works flawlessly, so it must be permission, @smartoneinok is following up with you.



I just wanted to give you a tip relative to the construction of the JWTAuth.


You do not need to build it manually just to use an user.



If you need to authenticate a user from a JWTAuth object, you can re-use the settings, and just call the .authenticate_user(xyx) passing either a user_id or a User object.



Consider this sample:



""" Demo on using user identification on a JWT application"""



from typing import Union

from boxsdk import JWTAuth, Client

from boxsdk.object.user import User



USER_ID = "18622116055"

APP_USER_ID = "29599235430"



def get_client_user(user: [Union[str, "User"]]) -> Client:

"""Get client user"""

auth = JWTAuth.from_settings_file(".config.json")

auth.authenticate_user(user)

return Client(auth)





def get_client_enterprise() -> Client:

"""Get client enterprise"""

auth = JWTAuth.from_settings_file(".config.json")

# auth.authenticate_instance() # by default it authenticates the enterprise

return Client(auth)





def main():

client_enterprise = get_client_enterprise()

me = client_enterprise.user(user_id="me").get()

print(f"Service Account: {me.id} {me.name} {me.login}")



client_user = get_client_user(USER_ID)

me = client_user.user(user_id="me").get()

print(f"User Account: {me.id} {me.name} {me.login}")



app_user = client_enterprise.user(user_id=APP_USER_ID).get()

client_user_app = get_client_user(app_user)

me = client_user_app.user(user_id="me").get()

print(f"App User Account: {me.id} {me.name} {me.login}")





if __name__ == "__main__":

main()





Results in:



Service Account: 20344589936 UI-Elements-Sample AutomationUser_1841316_RbcnIM9B2l@boxdevedition.com

User Account: 18622116055 Rui Barbosa barduinor@gmail.com

App User Account: 29599235430 Test APP User AppUser_1841316_afcI7DCbFn@boxdevedition.com



Cheers


Thank you for all the replies. The fix was simple. I shouldnt be using both Service account and app user to authenticate. The sample available in Git might have misled me.





from boxsdk import JWTAuth, Client



auth = JWTAuth.from_settings_file('./settings_config.json')

service_account_client = Client(auth)



The above code helped me connect to Box and see the folders and files as an enterprise user. The below code was NOT necessary.



app_user = service_account_client.user(user_id='xxxx')



app_user_auth = JWTAuth(

client_id=config_json['boxAppSettings']['clientID'],

client_secret=config_json['boxAppSettings']['clientSecret'],

user=app_user,

jwt_key_id=config_json['boxAppSettings']['appAuth']['publicKeyID'],

rsa_private_key_data= config_json['boxAppSettings']['appAuth']['privateKey'],

rsa_private_key_passphrase=config_json['boxAppSettings']['appAuth']['passphrase'],

enterprise_id=config_json["enterpriseID"]

)

app_user_auth.authenticate_user()

app_user_client = Client(app_user_auth)


Thanks for reporting back! I thought we tried that on the phone yesterday? Did you change something else after?




Yes, We tried that yesterday but for some reason it didnt work. I created a new python environment and reinstalled the boxsdk library, after that service account client authentication worked just fine (but not mix of both authentications).


Reply