How to get authenticated token after redirecting user

Question

According to an error message I was getting when I tried to get an authentication request token through service.getRequestToken(), I am not actually allowed to do it that way, and must instead use service.getAuthorizationUrl() to redirect the user. The problem is, i don't know what to do after that. I don't have a request token to give the service.getAccessToken(), and I have no idea how to get the appropriate verifier, either.

• How do I get the needed verifier that I need in order to get an access token?
• How do I get the needed request token, since I can't use service.getRequestToken()?

Here is the code I have so far:

import java.awt.Desktop;
import java.net.URI;
import org.scribe.model.*;
import org.scribe.oauth.OAuthService;

public class HelloBox{

    public static void main(String[] args) throws Exception{

        BoxOAuth2API box = new BoxOAuth2API();

        OAuthConfig config = new OAuthConfig(
                /* [...] */,              //client id
                /* [...] */,              //client secret
                "https://localhost:4000", //callback
                null, null,               //signature type, scope
                System.out                //debug stream
            );

        OAuthService service = box.createService(config);

        Desktop.getDesktop().browse(URI.create(service.getAuthorizationUrl(null)));

        // === What do I do now? ===

        Verifier v = new Verifier( /* ??? */ );

        Token accessToken = service.getAccessToken(null, v);

    }

}

I found this BoxOAuth2API class online. If the problem is with this, where is an API class that does work?

public class BoxOAuth2API extends DefaultApi20 {
    //http://developers.box.com/docs/
    private static final String AUTHORIZE_URL = "https://www.box.com/api/oauth2/authorize?client_id=%s&redirect_uri=%s&response_type=code";
    private static final String SCOPED_AUTHORIZE_URL = AUTHORIZE_URL + "&scope=%s";

    @Override
    public Verb getAccessTokenVerb() {
        return Verb.POST;
    }

    @Override
    public AccessTokenExtractor getAccessTokenExtractor() {
        return new JsonTokenExtractor();
    }

    @Override
    public String getAccessTokenEndpoint() {
        return "https://www.box.com/api/oauth2/token?grant_type=authorization_code";
    }

    @Override
    public String getAuthorizationUrl(OAuthConfig config) {
        // Append scope if present
        if (config.hasScope()) {
            return String.format(SCOPED_AUTHORIZE_URL, config.getApiKey(),
                    OAuthEncoder.encode(config.getCallback()),
                    OAuthEncoder.encode(config.getScope()));
        } else {
            return String.format(AUTHORIZE_URL, config.getApiKey(),
                    OAuthEncoder.encode(config.getCallback()));
        }
    }
}

Answer 1

Box has a java sdk now. It does not really provide a OAuth flow UI but here is sample code how you can create the OAuth and get the box client authenticated: https://github.com/box/box-java-sdk-v2/wiki/HelloWorld

For the sdk, please check here: https://github.com/box/box-java-sdk-v2

Answer 2

In order for you to get the callback, you have to have enough control of your machine to run a listener process that can receive HTTP requests from Box. Box will call out to you over http only to a localhost address. You have to use https for any other callback than localhost addresses.

The Box SDK handles the OAuth stuff for you. You shouldn't need the

import org.scribe.model.*;
import org.scribe.oauth.OAuthService;

You also have to configure your Box application to point at whatever address you want it to call out to you for. I strongly recommend localhost to get started with, since that will just work on most computers, and doesn't require you setting up SSL certs. I just updated the instructions for the helloWorld example. Hopefully that helps a little.