Re: How I can connect to OAuth2 from server-side script (without internet browser)?

Box Employee

Re: How I can connect to OAuth2 from server-side script (without internet browser)?

Hi Marek,

 

Thanks for reaching out!

 

We actually don't officially support completing the OAuth process without interacting with a browser. However, once you obtain your initial access and refresh tokens you don't need to complete the full OAuth process as long as your tokens remain active.

 

The full OAuth process is described in detail here - https://box-content.readme.io/docs/oauth-20 - but can be boiled down to the following few steps:

 

  •  Make your preliminary request to get authorization - this is where the browser interaction comes into play. Something similar to this will do: 
https://account.box.com/api/oauth2/authorize?response_type=code&client_id={your_api_key}&state=authenticated

 

  • You will be presented with a login screen, sign in to grant access to the application using the account you wish to generate the tokens [token permissions rely on the permissions of the account that generated them] - this will return an Authorization Code in the "code" parameter.

 

  • Use the Authorization Code that's returned to construct a call like the following:
curl https://app.box.com/api/oauth2/token \
-d 'grant_type=authorization_code&code={your_code_from_step_2}&client_id={your_API_key}&client_secret={your_client_secret}' \
-X POST

 

  • If successful, this will return your first set of Access and Refresh Tokens.

 

Access Tokens have a 60 minute lifespan, and can be used as many times as you need for the duration of their life. Once that time passes [or pro-actively], use the Refresh Token to generate a new Access and Refresh Token. Refresh Tokens have a 60 day lifespan and can be used once within that time. Once a Refresh Token is used to generate the new pair of tokens, the initial pair of tokens become invalid.

 

As long as your tokens are refreshed at least once every 60 days, you will not need to complete the OAuth process again to keep your access.

 

 

Hopefully that helps!

-Tony

8 REPLIES
New Contributor

Re: How I can connect to OAuth2 from server-side script (without internet browser)?

Hey Tony....when I follow your steps. I keep  getting

 

curl https://app.box.com/api/oauth2/token...

 

response:

{

  • error: "invalid_grant",
  • error_description: "The authorization code has expired"

}

 

I've made sure the to POST it (I did via <form action...method="POST") and also did it with the CURL example you gave... I've double checked the "Authorization Code" returned from first step.

I've also recreated the "client_secret" for my app (and then reran  "Authorization Code" step).

Each time same result "invalid_grant"

 

Please help... :)

Thanks,

Joel

New Contributor

Re: How I can connect to OAuth2 from server-side script (without internet browser)?

(I've already checked for "{" curly braces accidentally being used)

according to this: 

http://stackoverflow.com/questions/20937478/invalid-credentials-when-trying-to-obtain-box-api-tokens

 

I need to setup certificate/security info.. do you have any help with that? 

 

 

New Contributor

Re: How I can connect to OAuth2 from server-side script (without internet browser)?

Never mind...turns out I had an extra space in my "client_secret"

Box Employee

Re: How I can connect to OAuth2 from server-side script (without internet browser)?

Hi Joel,

 

Glad to hear that you were able to sort it out! :)

 

-Tony

 

Senior Member

Re: How I can connect to OAuth2 from server-side script (without internet browser)?

Hi Tony,

I went through the process you have described here. And I am able to make API calls using access tokens. Thank you very much for that. My question is, Can we bypass the manual grant access option by using enterprise SSO credentials? Or add users to my app in bulk without user actually doing it (With the Enterprise Administration Access)?

Thank you for your response.

New Contributor

Re: How I can connect to OAuth2 from server-side script (without internet browser)?

Hi Tony

  Thank you for your detailed explanation. I followed those steps and able to access with retrieved access token. But, if I want to implement complete server-side solution without user interaction, as per my understanding, I need to save Access token and Refresh token on some flat file/DB (considering server downtime) and use refresh method every time by setting those values back to api connection. Is that correct? Or is there any otherway of doing it?

 

Thanks

Sudhakar

New Contributor

Re: How I can connect to OAuth2 from server-side script (without internet browser)?

ok so there are couple more issues with this process though. You can keep your token and refresh token working for you as long as you have your application up and running, but as soon as you restart your application, it looses everything and you have to start all over again with browser login and grant permission. Also, second issue is that, if user that granted a permission, if their password expires, then it starts failing and you will have to have them login again and grant permission. There is just so many manual step involved unlike other saas provider like salesforce or netsuite does. Am I wrong on any of these?

 

thanks

-Samir

Member

Re: How I can connect to OAuth2 from server-side script (without internet browser)?

I do our user provisioning from a set of Oracle APEX apps.  Each call to the BOX API has the following call to set up the authentication (these happen to be for Oracle PL/SQL routines, but might be useful as a model)

 

apex_web_service.g_request_headers.delete; -- Make sure we are clean
apex_web_service.g_request_headers(1).name := 'Authorization';
apex_web_service.g_request_headers(1).value := 'Bearer ' || Oauth_Maint.Get_Access_Token;

 

Which brings us back to the "Get_Access_Token" function, which looks like:

 

function Get_Access_Token(interface_name in varchar2 default 'BOX_Provision')
return varchar2
is
sys sys_rec;
time_left number;
result varchar2(255);
pragma autonomous_transaction;
begin
--
-- Might want to consider doing an interface check here. Lets assume
-- it was done at a higher level for now
sys := sys_by_system_name(interface_name);
if sys.system_name is null
then
raise_application_error(-20101,'Get_Access_Token - System name "' || interface_name || '" is not found.');
end if;
time_left := ( sys.access_expire - sysdate ) * 24 * 60; -- time left in minutes
if nvl(time_left,0) < 2
then
result := Refresh_Token(sys);
commit;
return result;
end if;

--
-- Now get the saved token
sys.last_access := sysdate;
sys := update_sys(sys);
commit;
return get_token(sys.token_directory, sys.system_name, Access_Suffix);
end Get_Access_Token;

 

The "sys_XXX" are a set of PL/SQL routines that provide access to a simple table that basically record the last time we refreshed a token.  If the token is "recent" enough, we return it, otherwise we record the "last access time" and get the Tokens from the database.  Note - the tokens are actually stored as files on the database server.

 

This setup has been working since the fall, and as long as someone makes a BOX request at least once every 60 days, the token will be refreshed.  Since we syncronize groups a couple of times a day.

 

If you are interested in seeing the full PL/SQL package, send an email to ***email address removed for privacy*** and ask for the "OAUTH_Maint" package, and I will send it back to you.

 

Tags (3)