OAuth fails with 2-step authentication

2-step authentication causes the OAuth 2 flow to fail. There’s also a 404 error. This problem is completely new and was reported to me yesterday.

The problem is that there is a URL using box.net rather than box.com. I can work around it by changing it in the browser’s address bar, then opening that page. I will get two SMS messages, but the second one works.

Hi Tobias, welcome to the community!

Thanks for reporting this.

Can you elaborate a bit more and describe the steps to get to that error?

I can’t recognize where the error is coming from.


when a desktop application starts the OAuth process by opening the initial OAuth URL in the web browser, the URL is similar to this:

On an account with 2-step auth, the user gets redirected to an URL similar to the following, after entering the user name and password:

Ouch! That should be box dot com, not box dot net.

Ultimately, after entering the Oauth code from the SMS, the process cannot get any further because of the wrong domain.

Hi @tobias

When you say a desktop application, what do you mean, which application?

I’ve tried to replicate this…

Login screen:

2FA Screen:

Grant access screen:

Callback screen (my app):

The URL’s of the different screens do not match yours, so can you add some more details how you got here?


my application uses the older URL api.box.com/oauth2/authorize rather than account.box.com/api/oauth2/authorize. If you use this older URL, you will see the error.

This worked fine until a few days ago.

Of course I’ll update the app, but either this URL is allowed or not, it should not fail like that. And if you no longer use box dot net, then you should look through all source codes and scripts and update all occurrences. There’s definitely some code that leads the user to box dot net somewhere on your servers.

Makes sense for sure, @tobias

I’ve check the documentation that I found to be related to this, and I can’t find a reference to that end point. I’m assuming its something older that got update din the mean time, or it might be used by our web app and not intended to be used by external apps.

I’ll ping the internal teams to see if they can find something.

Anyway thanks for spotting this, we appreciate it!