Skip to main content
Question

Re: How I can connect to OAuth2 from server-side script (without internet browser)?

  • May 21, 2025
  • 11 replies
  • 22 views
C
Forum|alt.badge.img

Hi Marek,

 

Thanks for reaching out!

 

We actually don't officially support completing the OAuth process without interacting with a browser. However, once you obtain your initial access and refresh tokens you don't need to complete the full OAuth process as long as your tokens remain active.

 

The full OAuth process is described in detail here - https://box-content.readme.io/docs/oauth-20 - but can be boiled down to the following few steps:

 

  •  Make your preliminary request to get authorization - this is where the browser interaction comes into play. Something similar to this will do:  
https://account.box.com/api/oauth2/authorize?response_type=code&client_id={your_api_key}&state=authenticated

 

  • You will be presented with a login screen, sign in to grant access to the application using the account you wish to generate the tokens [token permissions rely on the permissions of the account that generated them] - this will return an Authorization Code in the "code" parameter.

 

  • Use the Authorization Code that's returned to construct a call like the following:
curl https://app.box.com/api/oauth2/token \
-d 'grant_type=authorization_code&code={your_code_from_step_2}&client_id={your_API_key}&client_secret={your_client_secret}' \
-X POST

 

  • If successful, this will return your first set of Access and Refresh Tokens.

 

Access Tokens have a 60 minute lifespan, and can be used as many times as you need for the duration of their life. Once that time passes [or pro-actively], use the Refresh Token to generate a new Access and Refresh Token. Refresh Tokens have a 60 day lifespan and can be used once within that time. Once a Refresh Token is used to generate the new pair of tokens, the initial pair of tokens become invalid.

 

As long as your tokens are refreshed at least once every 60 days, you will not need to complete the OAuth process again to keep your access.

 

 

Hopefully that helps!

-Tony

    11 replies

    C
    Forum|alt.badge.img

    Hey Tony....when I follow your steps. I keep  getting

     

    curl https://app.box.com/api/oauth2/token...

     

    response:

    {

    • error: "invalid_grant",
    • error_description: "The authorization code has expired"

    }

     

    I've made sure the to POST it (I did via

    I've also recreated the "client_secret" for my app (and then reran  "Authorization Code" step).

    Each time same result "invalid_grant"

     

    Please help... 🙂

    Thanks,

    Joel

    C
    Forum|alt.badge.img

    (I've already checked for "{" curly braces accidentally being used)

    according to this: 

    http://stackoverflow.com/questions/20937478/invalid-credentials-when-trying-to-obtain-box-api-tokens

     

    I need to setup certificate/security info.. do you have any help with that? 

     

     

    C
    Forum|alt.badge.img

    Never mind...turns out I had an extra space in my "client_secret"

    C
    Forum|alt.badge.img

    Hi Joel,

     

    Glad to hear that you were able to sort it out! 🙂

     

    -Tony

     

    C
    Forum|alt.badge.img

    Hi Tony,

    I went through the process you have described here. And I am able to make API calls using access tokens. Thank you very much for that. My question is, Can we bypass the manual grant access option by using enterprise SSO credentials? Or add users to my app in bulk without user actually doing it (With the Enterprise Administration Access)?

    Thank you for your response.

    C
    Forum|alt.badge.img

    Hi Tony

      Thank you for your detailed explanation. I followed those steps and able to access with retrieved access token. But, if I want to implement complete server-side solution without user interaction, as per my understanding, I need to save Access token and Refresh token on some flat file/DB (considering server downtime) and use refresh method every time by setting those values back to api connection. Is that correct? Or is there any otherway of doing it?

     

    Thanks

    Sudhakar

    C
    Forum|alt.badge.img

    ok so there are couple more issues with this process though. You can keep your token and refresh token working for you as long as you have your application up and running, but as soon as you restart your application, it looses everything and you have to start all over again with browser login and grant permission. Also, second issue is that, if user that granted a permission, if their password expires, then it starts failing and you will have to have them login again and grant permission. There is just so many manual step involved unlike other saas provider like salesforce or netsuite does. Am I wrong on any of these?

     

    thanks

    -Samir

    C
    Forum|alt.badge.img

    I do our user provisioning from a set of Oracle APEX apps.  Each call to the BOX API has the following call to set up the authentication (these happen to be for Oracle PL/SQL routines, but might be useful as a model)

     

    apex_web_service.g_request_headers.delete; -- Make sure we are clean
    apex_web_service.g_request_headers(1).name := 'Authorization';
    apex_web_service.g_request_headers(1).value := 'Bearer ' || Oauth_Maint.Get_Access_Token;

     

    Which brings us back to the "Get_Access_Token" function, which looks like:

     

    function Get_Access_Token(interface_name in varchar2 default 'BOX_Provision')
    return varchar2
    is
    sys sys_rec;
    time_left number;
    result varchar2(255);
    pragma autonomous_transaction;
    begin
    --
    -- Might want to consider doing an interface check here. Lets assume
    -- it was done at a higher level for now
    sys := sys_by_system_name(interface_name);
    if sys.system_name is null
    then
    raise_application_error(-20101,'Get_Access_Token - System name "' || interface_name || '" is not found.');
    end if;
    time_left := ( sys.access_expire - sysdate ) * 24 * 60; -- time left in minutes
    if nvl(time_left,0) < 2
    then
    result := Refresh_Token(sys);
    commit;
    return result;
    end if;

    --
    -- Now get the saved token
    sys.last_access := sysdate;
    sys := update_sys(sys);
    commit;
    return get_token(sys.token_directory, sys.system_name, Access_Suffix);
    end Get_Access_Token;

     

    The "sys_XXX" are a set of PL/SQL routines that provide access to a simple table that basically record the last time we refreshed a token.  If the token is "recent" enough, we return it, otherwise we record the "last access time" and get the Tokens from the database.  Note - the tokens are actually stored as files on the database server.

     

    This setup has been working since the fall, and as long as someone makes a BOX request at least once every 60 days, the token will be refreshed.  Since we syncronize groups a couple of times a day.

     

    If you are interested in seeing the full PL/SQL package, send an email to ***email address removed for privacy*** and ask for the "OAUTH_Maint" package, and I will send it back to you.

     

    C
    Forum|alt.badge.img

    Is it still the case or has it been updated? (Server side script without internet browser)

    C
    Forum|alt.badge.img

    Is this not valid anymore? I'm not getting "Authorization Code" on step #2, it just redirects me to "https://hidden.app.box.com/folder/0"

    C
    Forum|alt.badge.img

    I ended up using the following automated script for OAuth 2.0 with bash. If somebody interested: https://github.com/rooty0/box-oauth-uploader

    Terms & ConditionsAccessibility statement