Is there any way for going around the login page required after getting a BOX token.
I need to use the BOX account as an admin so is there any workaround so that it can be done programatically.
If by the login page you're referring to the credentials page at:
https://www.box.com/api/1.0/auth/{your ticket}
that you redirect the user to after getting a ticket from:
GET https://www.box.com/api/1.0/rest?action=get_ticket&api_key={your api key}
Then the answer is currently no. As far as I know there's no plans to support an authentication method involving directly supplying credentials.
You can easily fill out the form and submit it without ever opening a browser. If you are using Python, you can do this with Mechanize or Clientform. I suppose you can do the same thing with other languages as well. But I'm not sure what the point is, since you need to authenticate your user, and the Box login page does the job nicely. If you don't want to make the user sign in every time, then serialize the token with a timestamp denoting how long you want it to be good for and use that token until it expires.
good luck,
Mike
there has been new developments since this question was posted, and now it's possible to use JWT (JSON Web Token) and Box Developers Edition to access Box.
If you create a developer account you will be able to create App users and login using an enterprise token and a private key file. Check out the docs for more information: Box Developer Edition
Additonally, boxsdk comes with support for Box Developer Edition
Related
First of all, sorry for my bad English :)
I am building a Gmail addon which integrates file uploading to an external website using their API. The API have an auth endpoint which uses plain authorization flow i.e. takes email and password of a user to authorize and return authorization token. That token is then used in the subsequent call of file uploading process.
My question is, it has been mentioned in gmail addon guide that an app should use oAuth when connecting to a third-party service. However, the related website's API do not have oAuth but use plain authorization flow. If I create a login form with email and password fields using the card service, would that be okay and approved by google to be listed in the addons directory? Creating oAuth on third party service is not in my hands
Thank you!
Q: would that be okay and approved?
My experience is that it is OK to use basic authentication (since a lot of APIs still use basic auth, it would be devastating if the use of API was prohibited), most likely you will be approved. However, if there ever be a version of the API that supports OAuth, please, migrate as soon as possible.
Caveats
You mentioned creating a login form in CardService - please, be aware that there are no "password"-style TextInputs, so all characters will be visible all the time + there isn't, as of yet, any support for input event, so you won't be able to emulate the behaviour easily.
If you are planning on storing the credentials, try to avoid using PropertiesService - it isn't considered a secure storage (though if credentials are to be entered only once, storing the token should be fine).
You will still be asked to implement the authorizationCheckFunction.
I am working on an Identity management application, using which my goal is to manage users on Box application.
I was going through Box documentation, and there are two ways for authentication
OAuth 2.0, which has redirection URI as required parameter. And due to which I cannot make use of it, since I will not be able to enter username and password and Authorize dynamically using my Java code.
Reference: https://box-content.readme.io/reference#oauth-2
JWT authentication, this I can use in my code and successfully get Access token. But problem here is, this access token can only be used to manage App Users (who will not have login to Box website).
Reference: https://box-content.readme.io/docs/box-developer-edition
So, is there any other authentication mechanism which I can use for getting Access token for managing Box users?
Regards,
Sandeep
The current best option is #1 with a process like this:
Create a Box application with the 'Manage an Enterprise' scope enabled.
Use a web-based access token generator (such as this or this) to get an initial access/refresh token pair. Save these somewhere safe (flat file, DB).
Code your application to initialize itself with the access/refresh token pair from its saved location.
When the access/refresh token pair is refreshed, write them out to the save location.
If your application runs across multiple nodes/processes this approach will require some (painful) coordination between them. I believe Box is working on some improvements in this area, so you may not have to live with this for long.
Looking at: http://developers.box.com/get-started/#authenticating on step #2 I'm trying to use curl to enter the credentials (user/email/password) to get the auth_token. I'd rather do it this way instead of directing the user to their browser because I'm making a script for syncing.
Anyone have an idea how I can do this? can I just do a POST with curl? I'm using v2 of the API.
You must send the user through the web page, unfortunately. However, since you are writing a script, you should also be aware that auth_tokens under the current system, so you can manually retrieve one and include it in your script.
Just one thing to note. If you don't use the standard authentication flow that goes through the Box web ui, then Box's large customers that have all their users sign-on with SSO (Active Directory and similar) logins, won't be your customers.
So, basically, if you want your app to be picked up by enterprise-level customers, then follow the building guidelines that Box provides.
how to make a login call using the Box API methods in my webservice?
I can only see a URL, that redirects to a Box login Page, where user needs to endter username and password, but this I need this as a webservice call.
Does anyone have done it usig API ?
Regards Sathish
You can find the full details here, but in short, you can set a callback URL for your app at http://www.box.com/developers/services that Box will send the authentication token to. You can set up your web service to receive the token there.
The way Box's authentication flow is designed is to prevent the need for users to provide 3rd parties (you in this case) with their credentials. The fact that there is no mechanism to authenticate a user by passing their credentials through a web service call is deliberate, and there is no straightforward work around I'm aware of (especially no such workaround that would be consistent with the terms of use of their API).
http://developers.box.com/get-started/#authenticating
There is a new authentication mechanism they have in the pipeline which will allow you to authenticate to a sandboxed folder for your application using a much simpler process. This is currently in private beta. This might fit the needs of what you are looking for once it is available.
http://developers.box.com/docs/#tokens
I was following the steps from box.net document
http://developers.box.com/get-started/#authenticating
I can get a ticket as it said first.
Then I use that ticket at following url https://www.box.com/api/1.0/auth/{your ticket}
in a browser, it works as it says. the browser will direct the user to box login page.
In that login page if I input username/password for login.
I can get the auth_token as the document says.
The problem is while I didn't choose username/password for login but use google openid to login an box account.
I will not able to get that auth_token as the document says. the returning response with following status:
not_logged_in
I want to know if this is a bug or I not correctly using the API to get that auth_token.
As many of box user now are using google openid as primely login choice this seems an common use case need be supported.
If anyone know the answer would be very appreciated.
Thanks
If a non-OpenID user is able to authenticate through the Box API's standard authentication process, then your code is fine. We have had reports of issues for our Single Signon issues, so this is likely a bug on our end.
Just make sure your app can authenticate users who have Box passwords. When we resolve these SSO issues, OpenID users will be able to connect your app without any changes on your end.