Please check the 'sub' claim. The 'sub' specified is invalid Error

Joy · October 24, 2023, 1:39pm

I have a new Box account. I created a new Box app from the developer console to process files stored in Box using a Python script. But the app_user_auth.authenticate_user() step is failing with below error

**BoxOAuthException**: Message: Please check the 'sub' claim. The 'sub' specified is invalid. 
Status: 400 
URL: https://api.box.com/oauth2/token 
Method: POST

My python code looks like below

from boxsdk import JWTAuth, Client
import json

with open('./settings_config.json','r') as file:
    config_json = json.load(file)

auth = JWTAuth.from_settings_dictionary(config_json)
service_account_client = Client(auth)
app_user = service_account_client.user(user_id='xxxx')

app_user_auth = JWTAuth(
    client_id=config_json['boxAppSettings']['clientID'],
    client_secret=config_json['boxAppSettings']['clientSecret'],
    user=app_user,
    jwt_key_id=config_json['boxAppSettings']['appAuth']['publicKeyID'],
    rsa_private_key_data= config_json['boxAppSettings']['appAuth']['privateKey'],
    rsa_private_key_passphrase=config_json['boxAppSettings']['appAuth']['passphrase'],
    enterprise_id=config_json["enterpriseID"]
)
app_user_auth.authenticate_user()
app_user_client = Client(app_user_auth)

and my settings_config json file looks like this

{
  "boxAppSettings": {
    "clientID": "xxxxxxxxx",
    "clientSecret": "xxxxxxxxx",
    "appAuth": {
      "publicKeyID": "xxxxxxx",
      "privateKey": "-----BEGIN ENCRYPTED PRIVATE KEY----- xxxxxxxxx",
      "passphrase": "xxxxxx"
    }
  },
  "enterpriseID": "xxxxx"
}

Please help me with a resolution. I have a valid enterprise ID here as I am using my employer’s account.

smartoneinok · October 24, 2023, 2:36pm

Hello ,

You might double check via the information on this page. I think you are missing the box_sub_type variable.

Thanks,
Alex, Box Developer Advocate

Joy · October 24, 2023, 6:55pm

Sorry, I wasnt able to follow that. Is there a reason why you suggested me to look at “JWT without SDKs”? I had been trying to authenticate using “JWT with SDKs” all this while. Do you have any sample python script on how to read the folders in Box if I use “JWT without SDKs” for authentication?

smartoneinok · October 24, 2023, 8:00pm

my apologies. you are right! Normally when I see the sub error its due to some issue when coding without using the sdks.

do you mind sharing the client id with me?

Joy · October 24, 2023, 8:37pm

No problem. The ID is eier6omdhmug8wz0in9i3i4ziza8ye8k

smartoneinok · October 24, 2023, 10:45pm

I will test out your code locally and see if I get anything different. I’ll report my results after I finish.

rajeev2186 · October 25, 2023, 11:25am

I have same problem statement. My request fails with {‘error’: ‘invalid_grant’,
‘error_description’: "Please check the ‘sub’ claim. The ‘sub’ specified is "
‘invalid.’} My enterprise ID is zero.

smartoneinok · October 25, 2023, 4:23pm

Hi rajeev2186,

In order to use applications with authentication types other than OAuth 2.0, you’d need to have a paid enterprise account. Free accounts do not have access to other authentication methods. We are working on launching our new free devleoper accounts in the near future.

Thanks,
Alex

rbarbosa · October 25, 2023, 9:34pm

Hi @Joy

From a python and Box SDK perspective, your code works flawlessly, so it must be permission, @smartoneinok is following up with you.

I just wanted to give you a tip relative to the construction of the JWTAuth.
You do not need to build it manually just to use an user.

If you need to authenticate a user from a JWTAuth object, you can re-use the settings, and just call the .authenticate_user(xyx) passing either a user_id or a User object.

Consider this sample:

""" Demo on using user identification on a JWT application"""

from typing import Union
from boxsdk import JWTAuth, Client
from boxsdk.object.user import User

USER_ID = "18622116055"
APP_USER_ID = "29599235430"

def get_client_user(user: [Union[str, "User"]]) -> Client:
    """Get client user"""
    auth = JWTAuth.from_settings_file(".config.json")
    auth.authenticate_user(user)
    return Client(auth)


def get_client_enterprise() -> Client:
    """Get client enterprise"""
    auth = JWTAuth.from_settings_file(".config.json")
    # auth.authenticate_instance() # by default it authenticates the enterprise
    return Client(auth)


def main():
    client_enterprise = get_client_enterprise()
    me = client_enterprise.user(user_id="me").get()
    print(f"Service Account: {me.id} {me.name} {me.login}")

    client_user = get_client_user(USER_ID)
    me = client_user.user(user_id="me").get()
    print(f"User Account: {me.id} {me.name} {me.login}")

    app_user = client_enterprise.user(user_id=APP_USER_ID).get()
    client_user_app = get_client_user(app_user)
    me = client_user_app.user(user_id="me").get()
    print(f"App User Account: {me.id} {me.name} {me.login}")


if __name__ == "__main__":
    main()

Results in:

Service Account: 20344589936 UI-Elements-Sample AutomationUser_1841316_RbcnIM9B2l@boxdevedition.com
User Account: 18622116055 Rui Barbosa barduinor@gmail.com
App User Account: 29599235430 Test APP User AppUser_1841316_afcI7DCbFn@boxdevedition.com

Cheers

Joy · October 27, 2023, 3:58pm

Thank you for all the replies. The fix was simple. I shouldnt be using both Service account and app user to authenticate. The sample available in Git might have misled me.


from boxsdk import JWTAuth, Client

auth = JWTAuth.from_settings_file('./settings_config.json')
service_account_client = Client(auth)

The above code helped me connect to Box and see the folders and files as an enterprise user. The below code was NOT necessary.

app_user = service_account_client.user(user_id='xxxx')

app_user_auth = JWTAuth(
    client_id=config_json['boxAppSettings']['clientID'],
    client_secret=config_json['boxAppSettings']['clientSecret'],
    user=app_user,
    jwt_key_id=config_json['boxAppSettings']['appAuth']['publicKeyID'],
    rsa_private_key_data= config_json['boxAppSettings']['appAuth']['privateKey'],
    rsa_private_key_passphrase=config_json['boxAppSettings']['appAuth']['passphrase'],
    enterprise_id=config_json["enterpriseID"]
)
app_user_auth.authenticate_user()
app_user_client = Client(app_user_auth)

smartoneinok · October 27, 2023, 4:28pm

Thanks for reporting back! I thought we tried that on the phone yesterday? Did you change something else after?

Joy · October 27, 2023, 4:33pm

Yes, We tried that yesterday but for some reason it didnt work. I created a new python environment and reinstalled the boxsdk library, after that service account client authentication worked just fine (but not mix of both authentications).