SDK Errors When Using JWT Auth with Custom Base URLs
trevordebard opened this issue · comments
- I have checked that the [SDK documentation][sdk-docs] doesn't solve my issue.
- I have checked that the [API documentation][api-docs] doesn't solve my issue.
- I have searched the [Box Developer Forums][dev-forums] and my issue isn't already reported (or if it has been reported, I have attached a link to it, for reference).
- I have searched [Issues in this repo][github-repo] and my issue isn't already reported.
Description of the Issue
When using a custom base URL, JWT auth will always fail with the error shown below. This occurs because the constructJWTAssertion function call to build the JWT uses _boxConfig.BoxApiHostUri
instead of new Uri(https://api.box.com/oauth2/token)
It looks like the other language SDKs handle this by ensuring "https://api.box.com/oauth2/token" is a constant when generating a token.
Implementation in Other SDKs:
Steps to Reproduce
- Configure the client to change the base url to "http://localhost"
- Creation of the token will fail because the JWT will have an aud value of "http://localhost/oauth2/token".
var reader = new StreamReader("box_config.json");
var json = reader.ReadToEnd();
var config = BoxConfigBuilder.CreateFromJsonString(json).SetBoxApiHostUri(new Uri("http://localhost:8081")).Build();
var session = new BoxJWTAuth(config); // JWT will be generated with wrong aud here
var token = await session.AdminTokenAsync();
client = session.AdminClient(token);
return client;
Error Message, Including Stack Trace
{"error":"invalid_grant","error_description":"Please check the 'aud' claim. The value for 'aud' is invalid"}
Suggested Change
Always use https://api.box.com/oauth2/token when generating a JWT
Please let me know if I am missing something or if there are any workarounds to this that I may not be aware of. Thanks!
Hi @trevordebard,
thanks for posting this issue. We will try to fix it asap.
Best,
@lukaszsocha2
Hi @trevordebard,
may I ask what is your use case that you want to change base url to localhost
, but still keep box.api.com
in aud
field?
@lukaszsocha2 Sure, I am creating a middleware API that will accept incoming requests from a client and forward those along to Box. The client already interfaces with the Box API, so we plan to update the SDK configuration to change the base URL to the new middleware host. The middleware will receive the request, perform some actions such as logging, and then send the request to Box.
We'll release a new package with this fix sometime this week.