Box oauth2: Invalid grant_type parameter or parameter missing

Question

I don't know what I do wrong, but everytime I tried to obtain the token (after user authentication of course), the result is always Invalid grant_type parameter or parameter missing

Possibly related to Box API always returns invalid grant_type parameter on obtaining access token

Here is my fiddler result:

POST https://api.box.com/oauth2/token HTTP/1.1
Host: api.box.com
Content-Length: 157
Expect: 100-continue
Connection: Keep-Alive

grant_type=authorization_code&code=nnqtYcoik7cjtHQYyn3Af8uk4LG3rYYh&client_id=[myclientId]&client_secret=[mysecret]

Result:

HTTP/1.1 400 Bad Request
Server: nginx
Date: Thu, 07 Mar 2013 11:18:36 GMT
Content-Type: application/json
Connection: keep-alive
Set-Cookie: box_visitor_id=5138778bf12a01.27393131; expires=Fri, 07-Mar-2014 11:18:35 GMT; path=/; domain=.box.com
Set-Cookie: country_code=US; expires=Mon, 06-May-2013 11:18:36 GMT; path=/
Cache-Control: no-store
Content-Length: 99

{"error":"invalid_request","error_description":"Invalid grant_type parameter or parameter missing"}

Even following the curl example gives the same error. Any help would be appreciated.

Edit: tried with additional redirect_uri params but still the same error

POST https://api.box.com/oauth2/token HTTP/1.1
Content-Type: application/json; charset=UTF-8
Host: api.box.com
Content-Length: 187
Expect: 100-continue
Connection: Keep-Alive

grant_type=authorization_code&code=R3JxS7UPm8Gjc0y7YLj9qxifdzBYzLOZ&client_id=*****&client_secret=*****&redirect_uri=http://localhost

Result:

HTTP/1.1 400 Bad Request
Server: nginx
Date: Sat, 09 Mar 2013 00:46:38 GMT
Content-Type: application/json
Connection: keep-alive
Set-Cookie: box_visitor_id=513a866ec5cfe0.48604831; expires=Sun, 09-Mar-2014 00:46:38 GMT; path=/; domain=.box.com
Set-Cookie: country_code=US; expires=Wed, 08-May-2013 00:46:38 GMT; path=/
Cache-Control: no-store
Content-Length: 99

{"error":"invalid_request","error_description":"Invalid grant_type parameter or parameter missing"}

Answer 1

Looks like Box requires a correct Content-Type: application/x-www-form-urlencoded request header in addition to properly URL encoding the parameters. The same seems to apply to refresh and revoke requests.

Also, per RFC 6749, the redirect_uri is only

REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.

Answer 2

I was facing a similar issue.

• The problem is not with Content-Type.
• The issue is with the lifecycle of code you receive.

One key aspect not mentioned in most places is that the code you get on redirect lasts only 30 seconds.

To get the access token and refresh token, you have to make the post request in 30 seconds or less.

If you fail to do that, you get the stated error. I found the info here.

Below code worked for me. Keep in mind, the 30-second rule.

import requests

url = 'https://api.box.com/oauth2/token'

data = [
    ('grant_type', 'authorization_code'),
    ('client_id', 'YOUR_CLIENT_ID'),
    ('client_secret', 'YOUR_CLIENT_SECRET'),
    ('code', 'XXXXXX'),
]

response = requests.post(url, data=data)

print(response.content)

Hope that helps.

Answer 3

You are missing the redirect URI parameter. Try:

POST https://api.box.com/oauth2/token HTTP/1.1
Host: api.box.com
Content-Length: 157
Expect: 100-continue
Connection: Keep-Alive

grant_type=authorization_code&code=nnqtYcoik7cjtHQYyn3Af8uk4LG3rYYh&client_id=[myclientId]&client_secret=[mysecret]&redirect_uri=[your-redirect-uri]