Utilizing Chrome Extension for oauth verification
Answered
Quick and possibly silly question - The quickstart guide for the Box API references the Box SDK often. I'm working on a chrome extension to automate box folder creation and was wondering if the Box SDK is explicitly required, or if I can handle all oauth 2.0 user authentication via the Google Chrome Extension?
If I can do it purely client-side from the local chrome extension, how would I go about exchanging the "code" for the API Token?
https://developer.box.com/docs/authenticate-with-oauth-2#section-step-3-handle-redirect-and-get-access-token
-
Hi ,
No, the SDKs are not specifically required to work with OAuth 2, you can do it all directly through the Chrome extension. If you have a way of redirecting the user to the Chrome extension after they sign in, you can extract the code that is on the query string and then make an HTTPS POST request to Box to exchange that for an access token. That will give you the token that you need to send to the Box APIs to authenticate the session. The only thing that I would caution you on is that you will have a very broadly scoped access token that gives direct access to the user's content. Having that stored within any environment that can be monitored is not a best security practice. The token lasts for an hour before it will need to be refreshed, so there is limited exposure after that time.
Hope that helps,
Jon
Please sign in to leave a comment.
Comments
1 comment