0

I am investigating the possibility of integrating Box API calls from an internal application that sits behind our firewall (it is not exposed to the outside world).

So the question is, if we fire off an authentication request to Box with a callback URI, does Box post back directly to the specified call back URI (so essentially its initiating a new request from Box to the client), or does it send a request back to the client who made the request (standard HTTP request/response), and expect the client to redirect to the call back URI with the tokens?

This might sound an odd question, but during my investigation it appears this is how the Twitter OAUTH protocol works, and if so would help us a lot as we don't want to open up the firewall to the outside world.

See here for info: https://dev.twitter.com/discussions/5801

EDIT: Just found this which seems to suggest that the client will always initiate the request, never the server: https://stackoverflow.com/a/6116736/811108

Many thanks in advance.

Community
  • 1
  • 1
Justin Phillips
  • 1,358
  • 2
  • 12
  • 26

1 Answers1

3

A typical user journey for OAuth on Box would like like this:

  1. User's browser requests www.someboxapp.com and the user clicks a login button
  2. User's browser requests the Box authentication URL which begins with https://www.box.com/api/oauth2/authorize
  3. User authenticates on the Box authorize webpage and then the Box site sends a 302 redirect header back to the users browser. This header tells the user's browser to request the the redirect_uri configured by www.someboxapp.com
  4. User's browser requests the redirect URL on www.someboxapp.com - e.g. http://www.someboxapp.com/oauth/redirect_uri
  5. The Box Application running on www.someboxapp.com makes a POST request to https://www.box.com/api/oauth2/token to complete the authentication and get an access token for using the Box API on behalf of the user.

What this means is that if you are running a Box web app on your internal network - you need to make sure that the webserver running the application and the users' machines can connect to https://www.box.com/api/oauth2/

If www.someboxapp.com only exists on your local network - that is fine - the Box API does not need to connect to this host.

madebydavid
  • 6,457
  • 2
  • 21
  • 29