Open app integration via box returns 403


I’m trying to figure out why our app integration no longer opens successfully, it shows “403 forbidden” when opening the app via Box (in a new tab). From our logs it looks like it stopped working August 22th (the oath endpoint haven’t been called since then). Have something changed in how Box calls the authentication endpoint?

Its this network call[...] that returns a 403. See screenshot:

When i call the url specified in the query parameter above manually with a POST it returns a redirect which can open the app successfully so I suspect something might have changed on Box end. Any ideas or suggestions would be appreciated.


Can you give us a bit more context on this?

index.php? are you trying to interact directly with the Box app?

What are you trying to achieve here?


The app is an integration, so we can open files from Box UI into our webapp like this right click on file → integrations → [App name].

This opens a new tab with a url looking like this:[...]?node_type=file

That webpage has an iframe that has a src that includes index.php, looking like this:[AUTH_ENDPOINT?auth_code=...&file_id=..&user_id=...]&service_action_id=[...]&rm=box_openbox_post_form

But the above url returns 403 and never calls the auth endpoint specified in its query parameter. I’ve tested the auth endpoint by manually calling it and it returns a redirect to the webapp and can authenticate against Box.

Sorry i’m not very familiar with this, i haven’t developed the app i just know it worked before. Let me know if you need any further information.


@user101 , don’t be sorry at all.

I’m also unfamiliar with this. Let me see if I can find someone to help.

1 Like


So my folks are telling me the following:

  • The redirect is expected if that is an OAuth APP
  • Can you make sure that the way you are obtaining the token is the exact same way (meaning the exact same security context) that the one obtained via the Iframe? The token generated by your app may not have the same permissions/shares relative to the token you obtained manually.
  • They also mentioned that there is a app diagnostic tool, so you can pull up the 403 error and send the request id to support to dig into the backend.

Let us know if this helps.

@rbarbosa thank you for looking into it!

  • Ok :+1: it seems like our Client Callback URL redirect to our app and passing along the auth code and then the app handles the authentication from the client. So what I said above that the iframe calls the auth point and then redirect wasn’t completely correct. So the problem is parhaps not related to authentication, but rather that the redirect from the client callback url is not passed back from the backend to the client?

  • Yes, i do use the same token. When doing it manually I copy the url query parameter in the iframe src and run this curl command: curl -v -X POST $url-from-iframe-src and that returns a 301 with a redirect to our app that I open in the browser, which then successfully authenticates against box. Obs the $url-from-iframe-src needs to be url decoded before running the command.

  • Is that the “App Diagnostics” tool in the dev console? I tried running that with different timespans but i could not get it to work, it displays this error message:

Screenshot 2023-10-05 at 23.14.15


Hi @user101

Gustaf, with my limited knowledge in this area, at this point I’m going to ask you to open a support case.

They will be able to trace the 403 error from the request and identify it’s source.

Sorry I can’t be of further assistance.


Hey @rbarbosa Ok, sounds like a good way forward. Thanks and cheers!

Hi @user101

Gustaf, my folks are telling me the issue has been resolved.

I wasn’t able to follow up all the interactions, but if you think the end result can help others, and you’re comfortable sharing the info, feel free to add a summary here.


Hi Rui!

I’m still not completely sure what the issue was, I think our app might might have used some deprecated functionality.

This was how the integration callback were configured previously, with a optional “Preliminary Callback URL” field that had a info message that it is no longer supported, see screenshot:

After clearing the URL and updating the method of the “Client Callback URL” endpoint from POST to GET the app started to work again.

Hope that makes sense.


Thank you Gustaf, I’ll mark your post as solution.