Skip to main content
Question

Using OAuth2 with JWT without a Box SDK

  • May 22, 2025
  • 2 replies
  • 58 views
C
Forum|alt.badge.img

Hi Experts,

 

I want to establish a machine-to-machine scenario but I am working on a platform where no BOX SDK is provided. I have created a new Box App and I have done all the setup there and downloaded the JSON config file. How can I get access to box now in terms of native http(s) calls. Is there any tutorial what sequence of calls is needed and what I have to do with the content of the configuration file. I can certainly write my onw BOX API to do all operations I need but I am not sure how the logon procedure works exactly when using OAuth2 with JWT.

 

I also noticed the the private key seems to be encrypted in the config file. Do I need to decrypt it before sending it to BOX? What kind of encryption was used?

 

Thanks in advance for any help

    2 replies

    C
    Forum|alt.badge.img

    Hi  — you may find the guide at https://developer.box.com/v2.0/docs/construct-jwt-claim-manually useful.  It walks through constructing a JWT manually and using it to authenticate with the Box API.

    C
    Forum|alt.badge.img

    I had to do this as there's no PHP SDK.

     

    I use a library to help:

     

    use Emarref\Jwt\Claim;
use Emarref\Jwt\HeaderParameter;

    And in my Box class constructor...

    function __construct($boxJson)
	{
		$this->Curl = new Curl;
		$boxJson = utf8_encode($boxJson);
		$boxJson = json_decode($boxJson);
		$uniqueID = uniqid('???');
		$token = new Emarref\Jwt\Token();
		
		$token->addClaim(new Claim\Audience('https://api.box.com/oauth2/token'));
		$token->addClaim(new Claim\Expiration(new \DateTime('60 seconds')));
		//$token->addClaim(new Claim\IssuedAt(new \DateTime('now')));
		$token->addClaim(new Claim\Issuer($boxJson->boxAppSettings->clientID));
		$token->addClaim(new Claim\JwtId($uniqueID));
		//$token->addClaim(new Claim\NotBefore(new \DateTime('now')));
		$token->addClaim(new Claim\Subject($boxJson->enterpriseID));
		$token->addHeader(new HeaderParameter\KeyId($boxJson->boxAppSettings->appAuth->publicKeyID));
		$token->addHeader(new HeaderParameter\Type('JWT'));
		$token->addClaim(new Claim\PrivateClaim('box_sub_type', 'enterprise'));
		//encrypt the JWT
		$algorithm = new Emarref\Jwt\Algorithm\Rs256();
		$encryption = Emarref\Jwt\Encryption\Factory::create($algorithm);
		$privateKey = openssl_get_privatekey($boxJson->boxAppSettings->appAuth->privateKey, $boxJson->boxAppSettings->appAuth->passphrase);
		$encryption->setPrivateKey($privateKey);
		$jwt = new \Emarref\Jwt\Jwt();
		$serializedToken = $jwt->serialize($token, $encryption);
		//get the token
		$TOKEN_RECEIVED = false;
		$TOKEN_ATTEMPTS = 0;
		do {
			$this->Curl->post('https://api.box.com/oauth2/token', array(
				'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
				'client_id' => $boxJson->boxAppSettings->clientID,
				'client_secret' => $boxJson->boxAppSettings->clientSecret,
				'assertion' => $serializedToken
			));
			if (isset($this->Curl->response->access_token)) {
				$TOKEN_RECEIVED = true;
			} else {
				$TOKEN_ATTEMPTS++;
				sleep(5);
			}
		} while (!$TOKEN_RECEIVED and $TOKEN_ATTEMPTS < 6);
		if (!$TOKEN_RECEIVED) {
			ob_start();
			var_dump($this->Curl->response);
			$TokenErrorText = ob_get_clean();
			$TokenErrorFile = 'logs/BoxTokenError-' . date('d-m-Y His') . '.txt';
			file_put_contents($TokenErrorFile, $TokenErrorText);
			exit;
		}
		//set the authorization header
		$this->AccessToken = $this->Curl->response->access_token;
		$this->Curl->setHeader('Authorization', "Bearer $this->AccessToken");
		$this->Curl->setHeader('Content-Type', 'application/json');
		
	}
    Terms of ServiceAccessibility statement