Error when authenticating Box app with Enterprise account that uses SSO - box-api

I am developing an app against an Enterprise account that has SSO enabled. When I authenticate, it will accept just my email address if I am already authenticated with Box in my browser session. All looks good, and I get the message via Box "Thanks for logging in"...and that I am free to proceed with my app.
However, when I try to get my auth token, I get the "get_auth_token_error", and the Box documentation doesn't give me any details on this, other than saying it is a generic error state.
I've tested this with a non-enterprise app (which obviously is not SSO), and all works. Note I am v1 of the Box API

Enterprise Box accounts with SSO enabled need to have the API keys for each application turned on.
The problem turned out that my API key had not been turned on. This is only applicable with SSO enabled enterprise Box accounts. A request has to be made to the Box API team to turn this on.
What confused things was at the same time Box had a known issue with SSO authentication via the API.

There was an issue earlier in the week with SSO. We have rolled out a fix for the issue. If you are still having problems with SSO in your application, can you please reach out to us at api at Box dot com and give us additional information for reproducing your problem.

Related

bypass gmail device verification

I have a gmail account that I want to use for one of our internal services. We have a server running and we want this gmail account to be used to send out an automated email to people who register.
Now, here's the problem. I have correctly configured my gmail id in the server and know that I am able to correctly ping the gmail smtp server. However,I always get stuck because gmail by default expects you to verify any new device you log in from using an OTP. In my case, this is the first time login from this server machine and hence this happens. I can see it in the logs as well - it brings up this device verification page.
Some questions:
Is there a way I can turn off this feature in gmail? I don't think this is the same as 2 step verification. I have turned it off. I have also enabled my gmail account to be accessible from non secure apps.
If not, is there a way to do the verification step via command line on my Linux server?
Any other smtp based email service I could use that does not have so many security features?
Lastly, I am doing this for a quick prototype. Therefore I am ok bypassing some of these aspects. However, I would definitely want to ensure that the access to my account is secure once this is productized. Any links on how we can do this from non google apps or services?
Thanks in advance!!
It sounds to me you have an application that needs to work on your behalf and do some gmail-related tasks.
If that's the case, why not use the Gmail API with Service Account impersonation?
In short, a service account can impersonate a real user. This is a process that does not require manual input after it's setup, so it's ideal for server-side usage, where you might not even have a UI to interact with.
Also, the Gmail API is much easier to set up than Gmail SMTP, and there are examples out there on how to do this with this setup. You can look at this answer for some references on what it would take.

How to fetch Google OAuth access tokens from Chrome extensions - tradeoffs between options

EDIT: In case it helps others who find this, the fact that Gaia clears cookies after Chrome restart is known behavior. They recommend the use of Chrome login. See more here.
The core question: how do I fetch Google OAuth access tokens in the background from a Chrome extension without using the getAuthToken method in the chrome.identity API? This method forces users to login to Chrome, which isn't ideal for our app. There's also no way I can find to retrieve OpenID Connect ID tokens using the native methods exposed in the identity API.
Currently, I'm fetching tokens using the launchWebAuthFlow method from the chrome.identity API. This method launches an "Identity API Scope Approval UI" window in which the user makes the initial OAuth grant. This window (referred to as "gaia") has its own session / cookie data, separate from a browser session.
After the initial OAuth grant, the extension periodically retrieves access tokens in the background, and subsequently fetches data from Google APIs (e.g. Drive). This works well. When a user quits and re-opens Chrome, however, fetching access tokens fails - gaia loses its session cookies when Chrome restarts, so running the launchWebFlowAuth method doesn't complete because Google can't authenticate the user (unless we prompt the user to login in the Identity API Scope Approval UI again). Others seem to have had the same issue.
Google Sign-In would be ideal, but it doesn't work in Chrome extensions (I'm getting the same "Invalid cookiePolicy" error as the author of that issue).
Any advice on how to best handle this use case would be very much appreciated!

OAuth2 with no UI?

I'm in the middle of developing an application that integrates Box with an identity management environment for the purposes of SSO and user lifecycle management. Basically, our users use SAML to sign into their Box accounts, and then the status of their Box accounts is managed based on the status of their corporate accounts - if we terminate a user, the user's Box account needs to get disabled. This is one of many use cases that were in progress before the OAuth2 change.
Prior to the OAuth2 change, I was able to authenticate my enterprise admin account with the api_key and auth_token. This worked very well.
Now, with OAuth2, I'm not sure how to proceed. There is no UI for this at all, and I have no place to handle a redirect for the authorization token. Moreover, this is a nightly process that runs using the enterprise admin account, so I would have to get a new refresh token and bearer token every time this runs.
This doesn't make a lot of sense for my use case. Is there an alternative?
I am busy writing the same code with the same frustration as you have. However the refresh token does live for 14 days and what I plan to do is store the returned values encrypted in the registry. Each run my first action is to refresh the bearer key.
There however is no current timeline on the phasing out of the V1 Auth method and since some of the Enterprise stuff is yet to be ported to API V2 I suspect that if enough Enterprises push the BOX API team for a solution on this I am sure they will listen.
If I am honest I prefer the OAuth2 solution as it stops the key to your whole Enterprise data been sent in clear text across the internet as a URL param in API V1 and if someone did manage to break the SSL then only get a access token that is worth 60 mins max.
Not sure what language your writing the routines in but I am working with the API V2 SDK written by John Hoerr on GitHub and apart from a few little issues that he has fixed straight away from a .Net perspective it makes hitting the API a much more pleasant experience with all the de\serialisation handled by the SDK.

2 Legged Flow for service account authentication BOX

Is there any way for going around the login page required after getting a BOX token.
I need to use the BOX account as an admin so is there any workaround so that it can be done programatically.
If by the login page you're referring to the credentials page at:
https://www.box.com/api/1.0/auth/{your ticket}
that you redirect the user to after getting a ticket from:
GET https://www.box.com/api/1.0/rest?action=get_ticket&api_key={your api key}
Then the answer is currently no. As far as I know there's no plans to support an authentication method involving directly supplying credentials.
You can easily fill out the form and submit it without ever opening a browser. If you are using Python, you can do this with Mechanize or Clientform. I suppose you can do the same thing with other languages as well. But I'm not sure what the point is, since you need to authenticate your user, and the Box login page does the job nicely. If you don't want to make the user sign in every time, then serialize the token with a timestamp denoting how long you want it to be good for and use that token until it expires.
good luck,
Mike
there has been new developments since this question was posted, and now it's possible to use JWT (JSON Web Token) and Box Developers Edition to access Box.
If you create a developer account you will be able to create App users and login using an enterprise token and a private key file. Check out the docs for more information: Box Developer Edition
Additonally, boxsdk comes with support for Box Developer Edition

I can not get auth_token when user login with google account at box's login authorization page

I was following the steps from box.net document
http://developers.box.com/get-started/#authenticating
I can get a ticket as it said first.
Then I use that ticket at following url https://www.box.com/api/1.0/auth/{your ticket}
in a browser, it works as it says. the browser will direct the user to box login page.
In that login page if I input username/password for login.
I can get the auth_token as the document says.
The problem is while I didn't choose username/password for login but use google openid to login an box account.
I will not able to get that auth_token as the document says. the returning response with following status:
not_logged_in
I want to know if this is a bug or I not correctly using the API to get that auth_token.
As many of box user now are using google openid as primely login choice this seems an common use case need be supported.
If anyone know the answer would be very appreciated.
Thanks
If a non-OpenID user is able to authenticate through the Box API's standard authentication process, then your code is fine. We have had reports of issues for our Single Signon issues, so this is likely a bug on our end.
Just make sure your app can authenticate users who have Box passwords. When we resolve these SSO issues, OpenID users will be able to connect your app without any changes on your end.