Clever Geek Handbook

Box API OAuth2: multiple redirect_uris, long term refresh token

I have two questions about the Box Oauth2 API in a test environment.

  • Is it possible to have multiple redirect_URIs? I would like to use one address for production (e.g. https://my_site.com/box_redirects_here ), one for current development ( http: // localhost: 8000 / box_redirects_here ) and one for automated UI tests ( http: // localhost : 8001 / box_redirects_here ). As far as I could see, the only way to do this is to create three different Box apps - is there an easier way? BTW, both Dropbox and Google Drive support multiple redirect URIs.
  • I have a set of automated tests that I would like to run multiple times a day. The problem I am facing is that every time I run these tests my refresh_token is invalid and I cannot use it again - this means I cannot run the same test suite after a few hours without manually using a new marker. One solution would be to store the refresh token in a file, for example, so that I can reuse it in test sessions. But:
    • This is really cumbersome.
    • if different developers run these tests from different computers without a normal filesystem that doesn't really work.
    • Again, for some reason this doesn't seem like a problem with Google Drive or Dropbox.
+3


source to share


2 answers


  • This is currently not possible and I agree that it would be nice.
  • Your best option is to save a pair of access / update tokens to a file or database (in the absence of a shared filesystem). The OAuth2 spec gives developers a wide latitude on how they issue updated tokens, if they issue them at all (I don't think Dropbox does that.) While Box's implementation makes integration testing a little tricky, I think it ends up being the closest refers to recommendations.


+3


source


For your first question, you can get close to what you want using a query parameter redirect_uri

. While you won't be able to provide an arbitrary redirect URI, you can specify one that has the same base URL as the redirect URI in the app console.

From the OAuth tutorial :



Redirect_uri Wildcard values ​​are also accepted in the request if the base url matches the URI registered in the application console. The registered redirect_uri https://www.myboxapp.com can be dynamically redirected to https://www.myboxapp.com/user1234 if passed in the redirect_uri parameter of the request.

For your second question, John is correct - Box invalidates the refresh token after using it. While this can be annoying, it is also safer.

+2


source






More articles:


All Articles