Box Application and OAuth Integration: getting back to the client_callback url

Question

I'm working on a Box integration and have run into an interesting scenario:

1. Box user right-clicks in Box and selects an action
2. The user is sent in an iframe to the client_url.
3. Since in box we have to keep track of each users' access and refresh tokens, on this pass we discover in our application logic that the user lacks valid tokens.

As per the docs we send the user to: GET https://app.box.com/api/oauth2/authorize?response_type=code&client_id=MY_CLIENT_ID&state=security_token%3DKnhMJatFipTAnM0nHlZA

and from there Box sends the user to the configured redirect_uri. My question is after authentication, how do we get back to the confiured client_callback url that we configured for our Box application? I don't see a way of getting back to our original url since we had to inject a view for the Box authentication and are then routed to the oauth callback url.

Thanks!

https://developers.box.com/oauth/

Answer 1

From the Box Support team:

Paul Paulauskas (Box Customer Success) May 27, 4:26 PM

Hi,

The Box web app integration was never designed around having a full authentication flow. When a web app integration is called, it can deliver an auth_code (it's one of the parameters that you can choose), which can be used to create an access token and a refresh token. This is discussed under the "Popup notification" section of: https://developers.box.com/box-web-application-integrations/

Let me know if this helps!

Thanks,

Paul Box Platform Support Engineer

In short, the Box app integration configuration looks like this now:

Note the auth_token attribute is the same as the code attribute returned by the authentication workflow described in https://developers.box.com/oauth/