Reputation:
Does OAUth 2 allow authentication without UI (to an account with hard coded credentials)?
Note: this question is not about authenticating to an account after receiving a valid access token. This is about the first leg in the authentication process that would obtain the valid access token.
I am working on a web app that needs to connect to a specific box.com account. One of the requirements is that this connecting to box.com should happen purely in the background, using credentials that are hard coded into the web app.
So in other words this should authenticate user to a specific box.com account without asking the user to enter any account credentials.
Now, after asking about this from Box support, their answer is that:
- they only support OAuth 2, and
- having a login process that happens purely in the background should be possible with OAuth 2, but
- that their help desk formally only supports login processes that require user to enter credentials through a UI. They do not have any documentation showing how to authenticate with hard coded credentials.
Being that they said that this should be possible, but since they cannot provide any documentation on this, I decided to look into if I can find information on this elsewhere.
My problem is that it looks like with OAuth the initial authentication always has to be through a UI. Is this correct? Or is there a way to set OAuth to authenticate against harc-coded credentials purely in the background, and if so, how?
Upvotes: 2
Views: 1281
Answers (1)
Reputation: 258
box.com does not - at least officially - support "2 legged OAuth" (aka "2LO") but they have a new feature (which may still be in Beta) to support authentication using JSON Web Tokens (JWT).
Here's their description on how JWT authentication works:
This process replaces the first leg of the standard 3-legged OAuth process in which the user grants an application permission to the user’s Box account. Your service will authenticate by providing the application ID, enterprise ID, token type, and sign it using a private key. Box will then verify the identity of the application using a public key from the private key pair.
You can find more information on their developer page, here: https://developers.box.com/developer-edition/
Upvotes: 1
Related Questions
- OAuth2 - Authorize with no user interaction
- how would authentication be done in OAuth2 without OIDC?
- Can I use a client side login for OAuth Authorization Code Flow?
- OAuth2 - Can it be used for signing in securely without 3rd party?
- OAuth flow without asking user for authorization
- OAuth2 without secret
- Does OAuth2 allow for authorization using non-password or custom credentials?
- Does OAuth always presume a user interface?
- Is it possible to authenticate using OAuth without prompting the user when we have the user credentials?
- OAuth2 with no UI?