Skip to main content
Question

Unable to fully authenticate using oauth: Error code 400

  • May 22, 2025
  • 3 replies
  • 10 views
C
Forum|alt.badge.img

Here is my code:

 

from flask import Flask, redirect, request
from boxsdk import Client
from boxsdk import OAuth2

import config_oauth
import requests
import logging

app = Flask(__name__)

# Create new OAuth client & csrf token                                                                                                    
oauth = OAuth2(
  client_id=config_oauth.client_id,
  client_secret=config_oauth.client_secret
)
csrf_token = ''


# Create Box redirect URI with csrf token and redirect user                                                                               
@app.route('/login')
def start():
  global csrf_token
  auth_url, csrf_token = oauth.get_authorization_url(config_oauth.redirect_uri)

  return redirect(auth_url)

# Fetch access token and make authenticated request                                                                                       
@app.route('/get')
def capture():
  # Capture auth code and csrf token via state                                                                                            
  code = request.args.get('code')
  state = request.args.get('state')

  # If csrf token matches, fetch tokens                                                                                                   
  assert state == csrf_token
  access_token, refresh_token = oauth.authenticate(code)       # CODE BREAKS HERE

  client = Client(oauth)

  return "Done"

See comment where my code breaks. I keep getting an error code 400, not sure why. Here is the exact printout of the error message that I receive back:

BoxOAuthException: 
Message: None
Status: 400
URL: https://api.box.com/oauth2/token
Method: POST
Headers: {'Content-Length': '83', 'Set-Cookie': 'box_visitor_id=5c700b6c75c633.73632444; expires=Sat, 22-Feb-2020 14:47:08 GMT; Max-Age=31536000; path=/; domain=.box.com; secure, bv=OPS-42881; expires=Fri, 01-Mar-2019 14:47:08 GMT; Max-Age=604800; path=/; domain=.app.box.com; secure, cn=11; expires=Sat, 22-Feb-2020 14:47:08 GMT; Max-Age=31536000; path=/; domain=.app.box.com; secure, site_preference=desktop; path=/; domain=.box.com; secure', 'Age': '0', 'Strict-Transport-Security': 'max-age=31536000', 'Connection': 'keep-alive', 'Cache-Control': 'no-store', 'Date': 'Fri, 22 Feb 2019 14:47:08 GMT', 'Content-Type': 'application/json'}

    3 replies

    C
    Forum|alt.badge.img

    Hi  ,

     

    I don't see anything directly wrong in the code, so let's see what else it may be:

    1. If you print out the code that comes back, does it look correct? It should be an alphanumeric string.
    2. In the OAuth 2 app you created at developer.box.com, is the redirect URL the same as the one that you are setting in your code?
    3. Just to test, can you enable all scopes and also the "Perform actions as users" option? 

    That should help us get a bit closer to the solution. 

     

    Thanks,

    Jon

    C
    Forum|alt.badge.img

    Hi ,

     

    I've solved the issue: it turns out my client secret was incorrect.

     

    This would have been easier to solve had there been a better error message I think – even something like "invalid credentials" would have made me check the client id/secret.

     

    Thankfully, a Box employee on GitHub helped me out, and told me it was a problem with either my client id or secret. Come to find I had copy/pasted the client id twice accidentally, so this was an easy fix. 

     

    Thanks for the reply.

    C
    Forum|alt.badge.img

    I'm glad to hear that you were able to resolve the issue. Also completely agree, that error response with lack of message didn't do much to help the situation. 

     

    With that said, let's talk about next steps. We've been doing some extensive work on trying to identify major hurdles in the onboarding process. One of those hurdles was around error responses, and also around the documentation on how to resolve those errors. As a next step we'll be working on creating a plan around attempting to resolve any vague errors like this, with an ideal target around unifying the errors and docs together. I know this isn't needed for you right now with this issue resolves, but I just wanted to be transparent that we are working towards improving this holistically on the platform.

     

    - Jon

    Terms & ConditionsCookie settingsAccessibility statement