Box oauth2: Invalid grant_type parameter or parameter missing

10
votes

I don't know what I do wrong, but everytime I tried to obtain the token (after user authentication of course), the result is always Invalid grant_type parameter or parameter missing

Possibly related to Box API always returns invalid grant_type parameter on obtaining access token

Here is my fiddler result:

POST https://api.box.com/oauth2/token HTTP/1.1
Host: api.box.com
Content-Length: 157
Expect: 100-continue
Connection: Keep-Alive

grant_type=authorization_code&code=nnqtYcoik7cjtHQYyn3Af8uk4LG3rYYh&client_id=[myclientId]&client_secret=[mysecret]

Result:

HTTP/1.1 400 Bad Request
Server: nginx
Date: Thu, 07 Mar 2013 11:18:36 GMT
Content-Type: application/json
Connection: keep-alive
Set-Cookie: box_visitor_id=5138778bf12a01.27393131; expires=Fri, 07-Mar-2014 11:18:35 GMT; path=/; domain=.box.com
Set-Cookie: country_code=US; expires=Mon, 06-May-2013 11:18:36 GMT; path=/
Cache-Control: no-store
Content-Length: 99

{"error":"invalid_request","error_description":"Invalid grant_type parameter or parameter missing"}

Even following the curl example gives the same error. Any help would be appreciated.

Edit: tried with additional redirect_uri params but still the same error

POST https://api.box.com/oauth2/token HTTP/1.1
Content-Type: application/json; charset=UTF-8
Host: api.box.com
Content-Length: 187
Expect: 100-continue
Connection: Keep-Alive

grant_type=authorization_code&code=R3JxS7UPm8Gjc0y7YLj9qxifdzBYzLOZ&client_id=*****&client_secret=*****&redirect_uri=http://localhost

Result:

HTTP/1.1 400 Bad Request
Server: nginx
Date: Sat, 09 Mar 2013 00:46:38 GMT
Content-Type: application/json
Connection: keep-alive
Set-Cookie: box_visitor_id=513a866ec5cfe0.48604831; expires=Sun, 09-Mar-2014 00:46:38 GMT; path=/; domain=.box.com
Set-Cookie: country_code=US; expires=Wed, 08-May-2013 00:46:38 GMT; path=/
Cache-Control: no-store
Content-Length: 99

{"error":"invalid_request","error_description":"Invalid grant_type parameter or parameter missing"}
5
oauth-2.0box-api
Check John Hoerr reply: stackoverflow.com/questions/15437525/…entyer

5 Answers

18
votes

Looks like Box requires a correct Content-Type: application/x-www-form-urlencoded request header in addition to properly URL encoding the parameters. The same seems to apply to refresh and revoke requests.

Also, per RFC 6749, the redirect_uri is only

REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.

4
votes

I was facing a similar issue.

  • The problem is not with Content-Type.
  • The issue is with the lifecycle of code you receive.

One key aspect not mentioned in most places is that the code you get on redirect lasts only 30 seconds.

To get the access token and refresh token, you have to make the post request in 30 seconds or less.

If you fail to do that, you get the stated error. I found the info here.

Below code worked for me. Keep in mind, the 30-second rule.

import requests

url = 'https://api.box.com/oauth2/token'

data = [
    ('grant_type', 'authorization_code'),
    ('client_id', 'YOUR_CLIENT_ID'),
    ('client_secret', 'YOUR_CLIENT_SECRET'),
    ('code', 'XXXXXX'),
]

response = requests.post(url, data=data)

print(response.content)

Hope that helps.

1
votes

You are missing the redirect URI parameter. Try:

POST https://api.box.com/oauth2/token HTTP/1.1
Host: api.box.com
Content-Length: 157
Expect: 100-continue
Connection: Keep-Alive

grant_type=authorization_code&code=nnqtYcoik7cjtHQYyn3Af8uk4LG3rYYh&client_id=[myclientId]&client_secret=[mysecret]&redirect_uri=[your-redirect-uri]
0
votes

I have also face same issue implementing oauth2. I have add Content-Type: application/x-www-form-urlencoded. When I add content-type my issue solved.

Check and add valid content-type.

0
votes

Not sure who might need this in the future but be sure you're sending a POST request to get the access token and not trying to retrieve it by using GET or if you're testing- pasting in the address bar won't work, you need to send a POST request with the data in the BODY and not as query parameter.

Also the code usually lasts for a few seconds, so you need to use it as soon as its sent back.