Unable to Authenticate with Two-Factor Authentication due to CORS Error


I am currently experiencing an issue with two-factor authentication on BOX.
When I attempt to access the authentication page, I am presented with a CORS (Cross-Origin Resource Sharing) error, which prevents me from completing the authentication process.

Here is the error message I am seeing:

Access to XMLHttpRequest at ‘h ttps://app.box.com/gen204?
… {snip} …
&runmode_options[add_geo]=1’) from origin
h ttps://app.box.net’ has been blocked by CORS policy:
No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

I have also attached a screenshot of the error for reference.

I understand that CORS is a security feature implemented in web browsers to restrict requests from one domain to another, but I am unsure why it is causing an issue in this case. I am using Chrome 123.0.6312.105 on a MacOS 13.6.6.

Could anyone provide some insight into why this might be happening and how I might resolve it? Any help would be greatly appreciated.

Thank you in advance for your assistance.

Best regards.

Hello again,

I have discovered some additional information that may be relevant to the issue I am experiencing with two-factor authentication.

Upon further investigation, I noticed that the POST target for the authentication form is not box.com, as I initially expected, but rather box.net. This was surprising to me, and I suspect it may be related to the CORS error I am encountering.

Interestingly, when I manually changed the POST target to box.com, I was able to complete the two-factor authentication process without any issues. This leads me to believe that the issue may be related to the POST target being set to box.net.

I am not sure why the POST target is set to box.net instead of box.com, and I am wondering if this could be causing the CORS error. If the browser is expecting a response from box.com but is receiving a response from box.net instead, this could potentially trigger a CORS error.

Could you provide any insight into why the POST target might be set to box.net instead of box.com? Also, if it is possible to change the POST target, could you guide me on how to do so?

I would appreciate any additional insight or suggestions you might have regarding this issue. Thank you for your continued assistance.

Best regards

Hi @Brushup-developer , welcome to the forum!

I’m wondering how did you get to the that specific URL (api.box.com/oauth2/authorize/) on the authentication page in the first place…

According to our documentation the authorization URL is https://account.box.com/api/oauth2/authorize, which is also used in the form submit.

For example:

Let us know how we can help.

Best regards

1 Like

Thank you for your response and guidance.

I’m not sure where the URL api.box.com/oauth2/authorize/ originally came from, but as you pointed out, the correct URL should be account.box.com/api/oauth2/authorize.

Interestingly, the incorrect URL seemed to work fine when two-factor authentication was not enabled. However, when I switched to the correct URL as per your suggestion, I was able to authenticate successfully even with two-factor authentication enabled.

This has resolved my issue, and I appreciate your help in guiding me to the correct solution.

Thank you once again for your assistance.

Best Regards

Happy to help!

Best regards

1 Like

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.