Giters

box / box-windows-sdk-v2

Windows SDK for v2 of the Box API. The SDK is built upon .NET Framework 4.5

Home Page:https://developer.box.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SDK Errors When Using JWT Auth with Custom Base URLs

trevordebard opened this issue · comments

commented
  • I have checked that the [SDK documentation][sdk-docs] doesn't solve my issue.
  • I have checked that the [API documentation][api-docs] doesn't solve my issue.
  • I have searched the [Box Developer Forums][dev-forums] and my issue isn't already reported (or if it has been reported, I have attached a link to it, for reference).
  • I have searched [Issues in this repo][github-repo] and my issue isn't already reported.

Description of the Issue

When using a custom base URL, JWT auth will always fail with the error shown below. This occurs because the constructJWTAssertion function call to build the JWT uses _boxConfig.BoxApiHostUri instead of new Uri(https://api.box.com/oauth2/token)

It looks like the other language SDKs handle this by ensuring "https://api.box.com/oauth2/token" is a constant when generating a token.

Implementation in Other SDKs:

Steps to Reproduce

  1. Configure the client to change the base url to "http://localhost"
  2. Creation of the token will fail because the JWT will have an aud value of "http://localhost/oauth2/token".
var reader = new StreamReader("box_config.json");
var json = reader.ReadToEnd();
var config = BoxConfigBuilder.CreateFromJsonString(json).SetBoxApiHostUri(new Uri("http://localhost:8081")).Build();
var session = new BoxJWTAuth(config); // JWT will be generated with wrong aud here
var token = await session.AdminTokenAsync(); 
client = session.AdminClient(token);
return client;

Error Message, Including Stack Trace

{"error":"invalid_grant","error_description":"Please check the 'aud' claim. The value for 'aud' is invalid"}

Suggested Change

Always use https://api.box.com/oauth2/token when generating a JWT

Please let me know if I am missing something or if there are any workarounds to this that I may not be aware of. Thanks!

commented

Hi @trevordebard,
thanks for posting this issue. We will try to fix it asap.
Best,
@lukaszsocha2

commented

Hi @trevordebard,
may I ask what is your use case that you want to change base url to localhost, but still keep box.api.com in aud field?

commented

@lukaszsocha2 Sure, I am creating a middleware API that will accept incoming requests from a client and forward those along to Box. The client already interfaces with the Box API, so we plan to update the SDK configuration to change the base URL to the new middleware host. The middleware will receive the request, perform some actions such as logging, and then send the request to Box.

commented

We'll release a new package with this fix sometime this week.