3

I have two questions about Box's Oauth2 API in a testing environment.

  1. Is it possible to have multiple redirect_URI addresses? I'd like to use one address for production (e.g., https://my_site.com/box_redirects_here), one for ongoing development (http://localhost:8000/box_redirects_here) and one for automatic UI tests (http://localhost:8001/box_redirects_here). As far as I could see, the only way to do that would be to create three different Box applications - is there an easier way? BTW, both Dropbox and Google Drive do support multiple redirect URIs.
  2. I have a set of automatic tests that I'd like to run a few times a day. The challenge I'm facing is that every time I run these tests, my refresh_token is invalidated, and I can't use it again - which means I can't run the same set of tests a few hours later without manually getting a new token. One solution would be to save the refresh token, for example in a file, so I could reuse it across testing sessions. But:
    • It's really cumbersome.
    • if different developers are running these tests from different machines with no common file system that doesn't really work.
    • Again, for whatever reason this doesn't seem to be an issue with Google Drive or with Dropbox.
Roy2012
  • 11,755
  • 2
  • 22
  • 35
  • The less-than-elegant solution I'm using for #2 is to have an automatic UI test (Selenium) that connects my application to Box. I then use the newly created token for a few back-end tests. Ugly, but it works most of the time. – Roy2012 May 20 '15 at 05:09

2 Answers2

3
  1. This is not currently possible, and I agree that would be nice.
  2. Your best option is to save the access/refresh token pair to a file or a database (in the event that there's no common filesystem.) The OAuth2 spec grants implementers wide latitude on how they issue refresh tokens, if they issue them at all (I don't think Dropbox does.) While Box's implementation makes integration testing a bit challenging, I think that it ultimately hews most closely to the spec's recommendations.
Community
  • 1
  • 1
John Hoerr
  • 7,955
  • 2
  • 30
  • 40
2

For your first question, you might be able to get close to what you want by using the redirect_uri query parameter. Although you won't be able to supply an arbitrary redirect URI, you can give one that has the same base URL as the redirect URI in your app console.

From the OAuth tutorial:

Wildcard redirect_uri values are also accepted in the request as long as the base url matches the URI registered in the application console. A registered redirect_uri of https://www.myboxapp.com can be dynamically redirected to https://www.myboxapp.com/user1234 if passed into the request redirect_uri parameter.

For your second question, John is right - Box invalidates a refresh token after it has been used. Although this can be annoying, it's also more secure.

Greg
  • 3,731
  • 1
  • 29
  • 25