Preconditions
- Box account has 2FA enabled
- User is on Mobile device
Problem:
We have a PWA with Box's OAuth2 login integration. It works OK on desktop browsers. But it doesn't work on Mobile devices.
- To login via Box, it opens GET https://www.box.com/api/oauth2/authorize?response_type=code&client_id=XYZ
- User types in Email and Password
- User is now asked to enter the OTP received on Phone.
- User is now landed to 404 page.
Problem:
On step 1, it sets "site_preference=mobile" cookie.
On step 2, after entering credentials, it sends POST https://app.box.com/api/oauth2/authorize?response_type=code&client_id=XYZ, which has a response header for
set-cookie: box_redirect_url=https%3A%2F%2Fm.box.com%2Fapi%2Foauth2%2Fauthorize%3Fresponse_type%3Dcode%26client_id%XYZ
Notice the domain is "m.box.com", instead of expected "app.box.com" probably.
On Step 4, URL is https://m.box.com/api/oauth2/authorize?response_type=code&client_id=XYZ, which throws 404.
If I just change the step4 URL to https://app.box.com/api/oauth2/authorize?response_type=code&client_id=XYZ, it would now ask me to Grant access and upon granting access, I would be logged in to our application.
Note:
Above same works OK if access from Desktop browser OR user doesn't have 2FA enabled.