Skip to main content
Question

Javascript Box JWT authentication problem

  • May 22, 2025
  • 3 replies
  • 38 views
C
Forum|alt.badge.img

Hi, dear friends.

I am makeing some javascript code which is able to access to box with JWT authentication.

 

My script is like bellow:

====================================================================================

var pHeader = {
'alg':'RS256',
'typ':'JWT',
'kid':'wcd514pc'
};
var sHeader = JSON.stringify(pHeader);

 

var pPayload = {
'iss':'rewgy69ghdgzvgesjj78ffdaeewubui',            //client_id
'sub':'13584135',                                                   //enterprise id
'box_sub_type':'enterprise',                                  //set to "enterprise" because sub is enterprise id
'aud':'https://api.box.com/oauth2/token',              //
'jti':'B5ujJ7T12VyQd1bPkf99',                              //set by client secret, because in where I can get this param, ?...
'exp':***number removed for privacy***5                                                   
};
var sPayload = JSON.stringify(pPayload);

var sPrvKey = "-----BEGIN ENCRYPTED PRIVATE KEY-----\n

Hmzy4oNF\nUyKjjruW0CAl...........................................\n

.......................................................................................\n

6uk=\n

-----END ENCRYPTED PRIVATE KEY-----\n";

 

var sJWS = KJUR.jws.JWS.sign(null, sHeader, sPayload, sPrvKey, '6945f416c14c7a1b004aee47195a5e48');
var xhttp = new XMLHttpRequest();

xhttp.open("POST", encodeURIComponent("https://api.box.com/oauth2/token"), true);
xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhttp.setRequestHeader("charset", "utr-8");
var params = "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion="+sJWS+"&client_id=rewgy69ghdgzvgesjj78ffdaeewubui&client_secret=B5ujJ7T12VyQd1bPkf99";
xhttp.send(encodeURIComponent(params));

====================================================================================

That result that is taken from server is like bellow:

====================================================================================

{
"error": "invalid_request",
"error_description": "Invalid grant_type parameter or parameter missing"
}

====================================================================================

 

Please someone teach me about what was I writing wrong script and why did I get invaild param message from box server.

Thanks.

 

 

 

    3 replies

    C
    Forum|alt.badge.img

    Hi ,

     

    Try outputting your JWT and using JWT.io to see if it is formatted correctly. There is an example JWT that you can use to compare with at:

    https://developer.box.com/v2.0/docs/construct-jwt-claim-manually#section-4-constructing-the-jwt-assertion

     

    You should also check to make sure your API call (headers/parameters etc) overall is formatted correctly too. A good way to test is to first make sure your JWT is valid using the debugger tool at JWT.io, and then use a tool like Postman to send the final POST request to Box. That way, in case there is any formatting error in your code, you can see the difference between what Postman outputs and what your code sends to Box. You could even use something like Requestb.in to inspect your requests.

     

    Thanks,

    Jason

    C
    Forum|alt.badge.img

     I wanted to add some information to the response from  — we do not recommend doing authorization calls like this on the client side (e.g. in the user's browser).  Exposing your application's credentials in JS code that is sent to the user is very risky and could allow a malicious user or other attacker to take over your application and make API calls on behalf of your users.

    C
    Forum|alt.badge.img

    Unfortunately, the Debugger at JWT.io does not allow one to use RS256 (or any of the other types supported by Box).  Doing that produces an "Invalid signature" error and it does not produce the final encoded results.  That may be verified simply by changing the HS256 in the default example header they provide to RS256.  

     

    Box really should provide an online authentication tester for this purpose that conforms to Box's requirements.  Otherwise there is no way to test JWT authentication other than trial and error.

     

    Dave Schuler

    Chicago, Illinois

    Terms of ServiceAccessibility statement