Here is my problem:
I followed the instructions posted at you tube: "Get Box Access Tokens in 2 Quick Steps", using the client_id
and client_secret
provided by box
step1: get the auth_code
I copy and paste the following request in firefox:
https://www.box.com/api/oauth2/authorize?response_type=code&client_id=MY_CLIENT_ID&state=authenticated
step2: use the code from step1 to get the access and refresh tokens, using curl:
curl -v -k https://www.box.com/api/oauth2/token -d 'grant_type=authorization_code&code={auth_code}&client_id={MY_CLIENT_ID}&client_secret={MY_CLIENT_SECRET}' -X POST
The reponse I get is "invalid client credentials". Did I miss something?
Thanks in advance for helping. I really don't know how to troubleshoot this error.
What's more likely is that you've left in something that's causing the curl request to only take in the first line, ignoring "-d..." and beyond. If you're too slow, you'll actually get this error:
{"error":"invalid_grant","error_description":"The authorization code has expired"}
Write the curl request again on one line or try to copy and paste this:
curl https://www.box.com/api/oauth2/token -d 'grant_type=authorization_code&code={CODE}&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}'
-X POST
I had the same issue and it worked for me after adding header:
Content-Type: application/x-www-form-urlencoded
So your curl command would look like
curl -v -k https://www.box.com/api/oauth2/token -d 'grant_type=authorization_code&code={auth_code}&client_id={MY_CLIENT_ID}&client_secret={MY_CLIENT_SECRET}' -H "Content-Type: application/x-www-form-urlencoded" -X POST
I'll answer my own question in case some other newcomer falls in the same trap as I did:
Simply remove the curly brackets ({ }), so that the request will be:
curl -v https://www.box.com/api/oauth2/token -d 'grant_type=authorization_code&code=AUTH_CODE&client_id=CLIENT_ID&client_secret=CLIENT_SECRET' -X POST
and replace AUTH_CODE
, CLIENT_ID
and CLIENT_SECRET
by their corresponding values without adding any "decorative" character, at least if you're using curl.
Notice that I also removed the -k option after adding the path to a cacert.pem
file as a SSL_CERT_FILE
environment variable, so that curl would find it and stop complaining.