How do I complete this OAuth procedure without a server?

Question

I'm using the ruby-box gem to connect to box.com, where it states to use this code to get an access token:

session = RubyBox::Session.new({
  client_id: $boxClientID,
  client_secret: $boxClientSecret
})

authorize_url = session.authorize_url('https://redirect-url-in-app-settings')

@token = session.get_access_token('code-returned-to-redirect_url')

The problem is that I don't have a url to re-direct to, and I'm also not using a GUI, so I can't get the code from there. What do I do?

Answer 1

Ben here, I'm one of the developers of the ruby-box Gem. Here's what you can do:

• at app.box.com setup your application to use this callback

https://localhost/oauth2callback

• in IRB, generate an authorize url using the same callback:

    session = RubyBox::Session.new({
      client_id: $boxClientID,
      client_secret: $boxClientSecret
    })

    authorize_url = session.authorize_url('https://localhost/oauth2callback')

• paste this URL in a web-browser.
• once you authenticate with Box, you'll end up on a callback page with a URL that looks like this:

https://localhost/oauth2callback?state=&code=OQpfImZH35Ab9weUy61kthIvqZ2Dyz6

• Copy the value of code.
• Back in irb, run this command:

token = session.get_access_token('OQpfImZH35Ab9weUy61kthIvqZ2Dyz6')
access_token = token.token
refresh_token = token.refresh_token

• Store both the access token and refresh token in a database (or on a napkin, or wherever you see fit).
• From now on you can instantiate a session like this:

    session = RubyBox::Session.new({
      access_token: $storedAccessTokenValue,
      refresh_token: $storedRefreshTokenValue,
      client_id: $boxClientID,
      client_secret: $boxClientSecret
    })

    client = RubyBox::Client.new(session)

You only need to get the access_token and refresh_token once for a user.

Answer 2

So one problem is that the access and refresh tokens expire - I don't think you can store those tokens indefinitely and keep instantiating RubyBox sessions forever. If you want something incredibly unsafe (from the perspective that the script will store the username and password) but does work then you can use Mechanize to traverse the interactive part of the GUI. Here is a script I wrote today to solve the same problem. Note that you NEED to have a redirect URI for oauth2 and I could not figure out how to have Mechanize survive giving it a completely invalid URL. The URI has to be https so I chose https://www.chase.com randomly. The contents of that page does not matter, what does matter is that the authentication code is appended to the URL of the redirect and that is what I need.

But again, this is entirely contrary to the whole point of oauth2 where you grant apps rights without disclosing your own password. So use with caution...

Also, it does rely on the form structure and variable names in the authorization forms on box.com which could change at any time I suppose thus making this a bit fragile.

require 'ruby-box'
require 'mechanize'
require 'cgi'

# get as new box session
box_session = RubyBox::Session.new({
    client_id: 'your-client-id',
    client_secret: 'your-client-secret'
})

# Get the authorization URL from Box by specifying redirect URL
# as the arbitrary but working Chase bank home page
authorize_url = box_session.authorize_url('https://www.chase.com')

agent = Mechanize::new

# process the first login screen
login_page = agent.get(authorize_url)

# get the login form where you enter the username and password
login_form = login_page.form_with(name: 'login_form1')
login_form.login = 'your-box-username'
login_form.password = 'your-box-password'

# submit the form and get the allow/deny page back
allow_page = agent.submit(login_form)

# find the form that allows consent
consent_form = allow_page.form_with(name: 'consent_form')

# now find the button that submits the allow page with consent
accept_button = consent_form.button_with(name: 'consent_accept')

# Submit the form to cause the redirection with authentication code
redirpage = agent.submit(consent_form, accept_button)

# Use the CGI module to get a hash of the variables (stuff after ?)
# and then the authentication code is embedded in [" and "] so 
# strip those
code_query = CGI::parse(redirpage.uri.query)["code"].to_s
box_authentication_code = code_query[2,code_query.length-4]

# get the box access token using the authentication code
@token = box_session.get_access_token(box_authentication_code)

# print the tokens to show we have them
p @token.token 
p @token.refresh_token

# Create a new Box client based on the authenticated session
client = RubyBox::Client.new(box_session)

# prove it works by getting list of folders in root directory
folders = client.root_folder.folders
p folders

Answer 3

I'm using python, not ruby, so I can't tell you how to code this, but I can share with you how I've decided to work around this problem.

I'm writing a python script that will watch the events queue on box, and then handle new files as they are uploaded by users.

Because the python script is automated, I am going to the box token generator hosted on heroku (http://box-token-generator.herokuapp.com/) and using that to kick-start authenticating my app. Every time I make a request, I check to see if I get a 401 Unauthorized error, and if I do, I refresh my tokens.