Weird OAuth2 callback URL

Hello world,

I’m writing some code trying to integrate Box Java SDK into my own Android Java code.

The URL to invoke Box OAuth2 is built using code like below

BoxAPIConnection.getAuthorizationURL(clientId, URI.create("oauth://box.oauth2/redirect"), state, scopes)

Whereas state is a random UUID string and scopes is just root_readonly. Using some non-standard protocol name here since I expect app deeplinks will capture the above redirect, then I will be processing the redirect callback in my code to get the access token.

However, upon invoking the above code, my Android code isn’t capturing the deeplink URL at all. Traced down a bit revealed the URL returned by box.com server is being

https://app.box.com/login/mfa?redirectUrl=%2Fapi%2Foauth2%2Fauthorize%3Fclient_id%3D<REDACTED>%26response_type%3Dcode%26redirect_uri%3Doauth%253A%252F%252Fbox.oauth2%252Fredirect%26state%3D<REDACTED>%26scope%3Droot_readonly#

That made box came to nowhere but a missing page.

I thought I should expect redirect_uri should be at most oauth%3A%2F%2Fbox.oauth2%2Fredirect in order for the platform to trigger the redirect at the browser properly, then the deeplink trigger, to hand back control back to my Android code?

May anyone shed some light to confirm I’m missing something here?

Hi @arita7358

Thanks for using Box Java SDK, it’s seem like something wrong with Box OAuth2 process from the server side, I tried to reproduce it but it’s able to open the app on my device.

So to further more investigate this case, can you just do a few check and provide some more information:

  • Is your URL created from method getAuthorizationURL is something like this:
https://account.box.com/api/oauth2/authorize?client_id=[client_id]&response_type=code&redirect_uri=oauth%3A%2F%2Fbox.oauth2%2Fredirect&state=[some state]&scope=root_readonly
  1. It seems like the issue relating to 2FA, can you confirm that your enterprise is enabled 2FA, and the user you are trying to login already have 2FA set up?
  2. Can you login to the account above normally via browser?

With these information, I hope we can further more investigate this issue.
Best,
Minh

1 Like
  1. Yes. With
BoxAPIConnection.getAuthorizationURL(
            clientId,
            URI.create("oauth://box.oauth2/redirect"),
            state,
            scopes,
        )

I got

https://account.box.com/api/oauth2/authorize?client_id=<REDACTED>&response_type=code&redirect_uri=oauth%3A%2F%2Fbox.oauth2%2Fredirect&state=<REDACTED>&scope=root_readonly
  1. Yes, I’m logging in using my Google account which has 2FA enabled.
  2. Yes, from my desktop everything is perfect.

Hi @arita7358

So the authorization URL you have above is correct, in this case maybe some issue from server side only happen with some specific config which redirecting you to incorrect URL.

I recommend you to contact to Box Support, so they can deeper investigate which is going wrong. When creating a ticket please also provide the code snippet, and the Authorization URL above.

@mcong sorry but I have little luck getting answers…

Would you mind to share the code that would work? More specifically, how you’d declare in manifest XML for capturing deep links upon the browser receives the redirect from Box OAuth2.