Can the initial step of Box API use be automated?

Question

I am the admin of an enterprise account at Box, and I'm working on an automated integration to update our users' email addresses and set their quotas, based on our enterprise' internal catalog.

Although the Box API documentation seems targeted at other usage scenarios, I can gather that once I get an access_token/refresh_token pair, that refresh_token is valid for 60 days, and I can get a new one at any time during that period.

Being of the conviction that "something always goes wrong", I'm just wondering if there is any way of automating the initial step of getting an access_token/refresh_token pair, that doesn't require a browser and manual interaction. I'm afraid that IF the refresh_token is lost or becomes invalid due to an update at Box or similar, no one here will remember how you went about getting that initial token pair by hand.

If there isn't a way to do it automatically, I'll just live with it, but I don't want to give up without having asked explicitly to know that I didn't just miss something. :-)

Answer 1

[Is there] any way of automating the initial step of getting an access_token/refresh_token pair, that doesn't require a browser and manual interaction

No, there are no authZ/authN shortcuts. That goes double for accounts that can manage an entire enterprise, given their power and reach.

I'm afraid ... no one here will remember how you went about getting that initial token pair by hand.

One way to resolve this might be to implement something like this:

1. Create a Box app with the 'manage an enterprise' scope.
2. Create a web app in your domain that simply implements the OAuth2 workflow.
3. Store the resulting access/refresh token pair in your persistence layer of choice
4. If/when something goes wrong due to authZ/authN issues, have your script notify a group email account that someone needs to go to the web app and request a new token.

There are sample web apps available to help get you started. (Python, Asp.NET MVC)

... The Box API documentation seems targeted at other usage scenarios...

A lot of the enterprise-specific stuff is found in the Users and Events parts of the API, and the As-User feature makes the entire API enterprise-ready. It's pretty neat.

Answer 2

You can build a workarround with an webclient like this:

import java.io.IOException;
import java.net.URL;
import java.util.concurrent.ExecutionException;

import com.gargoylesoftware.htmlunit.BrowserVersion;
import com.gargoylesoftware.htmlunit.ElementNotFoundException;
import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.html.HtmlButton;
import com.gargoylesoftware.htmlunit.html.HtmlForm;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
import com.gargoylesoftware.htmlunit.html.HtmlPasswordInput;
import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
import com.gargoylesoftware.htmlunit.html.HtmlTextInput;

public class BoxAuth {

private String key;
private String email;
private String password;
private String redirectUrl;
private final String AUTH_URL;

public BoxAuth(String key, String email, String password, String redirectUrl) {
    super();
    this.key = key;
    this.email = email;
    this.password = password;
    this.redirectUrl = redirectUrl;
    this.AUTH_URL = "https://www.box.com/api/oauth2/authorize?response_type=code&client_id=" + key + "&redirect_uri=" + this.redirectUrl;
}

public String authorize() throws IOException, InterruptedException, ExecutionException {

    System.out.println("AUTHORIZING: " + AUTH_URL);

    final WebClient webClient = new WebClient(BrowserVersion.FIREFOX_17);

    HtmlPage loginPage = webClient.getPage(AUTH_URL);
    final HtmlPage grantAccessePage = this.authorizeLogin(loginPage);
    return this.authorizeGrantAccess(grantAccessePage);

}

private HtmlPage authorizeLogin(HtmlPage page) throws IOException {

    final HtmlForm loginForm = page.getFormByName("login_form");
    loginForm.getInputByName("password");
    final HtmlTextInput emailField = (HtmlTextInput) loginForm.getInputByName("login");
    emailField.setValueAttribute(this.email);
    final HtmlPasswordInput passwordField = (HtmlPasswordInput) loginForm.getInputByName("password");
    passwordField.setValueAttribute(this.password);
    final HtmlSubmitInput loginButton = loginForm.getInputByName("login_submit");

    final HtmlPage result = loginButton.click();
    try {
        final HtmlForm test = result.getFormByName("login_form");
        throw new Exception("BoxAPI: Wrong login data!!!");
    } catch (ElementNotFoundException e) {
    }

    return result;
}

private String authorizeGrantAccess(HtmlPage grantAccessePage) throws IOException, InterruptedException, ExecutionException {
    final HtmlForm grantAccessForm = grantAccessePage.getHtmlElementById("consent_form");
    final HtmlButton grantAccess = grantAccessForm.getButtonByName("consent_accept");

    final HtmlPage codePage = grantAccess.click();

    URL url = codePage.getUrl();
    String result = "";

    if (url.toString().contains("&code=")) {
        result = url.toString().substring(url.toString().indexOf("&code="));
        result = result.replace("&code=", "");
    }

    return result;
}

}

as redirect_url u can use something like "https://app.box.com/services/yourservice"