Advanced Settings
The provider enables granular control useful in more complex integrations or network topologies; for example, connecting from behind a firewall. In this section you can find more advanced provider configurations, as well as steps to troubleshoot connection errors.
Authenticate via OAuth Authentication
Use the OAuth authentication standard to connect to Box. You can authenticate with a user account or with a service account. A service account is required to grant organization-wide access scopes to the provider. The provider facilitates these authentication flows as described below.
Authenticate with a User Account
See Using OAuth Authentication for an authentication guide.Authenticate with a Service Account
Service accounts have silent authentication, without user authentication in the browser. You can also use a service account to delegate enterprise-wide access scopes to the provider.
You need to create an OAuth application in this flow. See Creating a Custom OAuth App to create and authorize an app. You can then connect to Box data that the service account has permission to access.
After setting the following connection properties, you are ready to connect:
- InitiateOAuth: Set to GETANDREFRESH.
- OAuthClientId: Set to the Client Id in your app settings.
- OAuthClientSecret: Set to the Client Secret in your app settings.
- OAuthJWTCertType: Set to "PEMKEY_FILE".
- OAuthJWTCert: Set to the path to the .pem file you generated.
- OAuthJWTCertPassword: Set to the password of the .pem file.
- OAuthJWTCertSubject: Set to "*" to pick the first certificate in the certificate store.
- OAuthJWTSubjectType: Set to "enterprise" or "user" depending on the Application Access Value you selected in your app settings. The default value of this connection property is "enterprise".
- OAuthJWTSubject: Set to your enterprise Id if your subject type is set to "enterprise" or your app user Id if your subject type is set to "user".
- OAuthJWTPublicKeyId: Set to the Id of your public key in your app settings.
- Creates and signs the JWT with the claim set required by the provider.
- Exchanges the JWT for the access token.
- Saves OAuth values in OAuthSettingsLocation to be persisted across connections.
- Submits the JWT for a new access token when the token expires.
Using OAuth Authentication
Use the OAuth authentication standard to connect to Box. You can authenticate with a user account or a service account. The provider facilitates this as described below.
Using a User Account to Authenticate to Box
The user account flow requires the authenticating user to interact with Box via the browser.
Embedded Credentials
Desktop Applications
See Embedded Credentials to connect with the provider's embedded credentials and skip creating a custom OAuth app.Headless Machines
See Headless Machines to skip creating a custom OAuth app and authenticate an application running on a headless server or another machine where the provider is not authorized to open a browser.Custom Credentials
Instead of connecting with the provider's embedded credentials, you can register an app to obtain the OAuthClientId and OAuthClientSecret.
When to Create a Custom OAuth App
Web Applications
You need to create a custom OAuth app in the web flow.
Desktop Applications
Creating a custom OAuth app is optional as the provider is already registered with Box and you can connect with its embedded credentials. You might want to create a custom OAuth app to change the information displayed when users log into the Box OAuth endpoint to grant permissions to the provider.
Headless Machines
Creating a custom OAuth app is optional to authenticate a headless machine; the provider is already registered with Box and you can connect with its embedded credentials. In the headless OAuth flow, users need to authenticate via a browser on another machine. You might want to create a custom OAuth app to change the information displayed when users log into the Box OAuth endpoint to grant permissions to the provider.
Using a Service Account to Connect to Box
Service accounts have silent authentication, without user authentication in the browser. You can also use a service account to delegate enterprise-wide access scopes to the provider.
You need to create an OAuth application in this flow. You can then connect to Box data that the service account has permission to access. See Custom Credentials for an authentication guide.
Creating a Custom OAuth App
See Creating a Custom OAuth App for a procedure.
Embedded Credentials
Authenticate using the Embedded OAuth Credentials
Desktop Authentication with the Embedded OAuth App
You can connect without setting any connection properties for your user credentials. After setting InitiateOAuth to GETANDREFRESH, you are ready to connect.
When you connect, the provider opens the OAuth endpoint in your default browser. Log in and grant permissions to the application. The provider then completes the OAuth process.
- Extracts the access token from the callback URL and authenticates requests.
- Obtains a new access token when the old one expires.
- Saves OAuth values in OAuthSettingsLocation to be persisted across connections.
Headless Machine
Using OAuth on a Headless Machine
The following sections show how to authenticate a headless server or another machine on which the provider cannot open a browser. You can authenticate with a user account or with a service account.Authenticate with a User Account
To authenticate with a user account, you need to authenticate from another machine. Authentication is a two-step process.- Instead of installing the provider on another machine, you can follow the steps below to obtain the OAuthVerifier value. Or, you can install the provider on another machine and transfer the OAuth authentication values, after you authenticate through the usual browser-based flow.
- You can then configure the provider to automatically refresh the access token from the headless machine.
Using the Embedded OAuth Credentials
Obtain a Verifier Code
Follow the steps below to authenticate from another machine and obtain the OAuthVerifier connection property:
- Click the following link to open the Box OAuth endpoint in your browser.
- Log in and grant permissions to the provider. You are then redirected to the callback URL, which contains the verifier code.
- Save the value of the verifier code. You will set this in the OAuthVerifier connection property.
On the headless machine, set the following connection properties to obtain the OAuth authentication values.
- OAuthVerifier: Set this to the verifier code.
- InitiateOAuth: Set this to REFRESH.
- OAuthSettingsLocation: Set this to persist the encrypted OAuth authentication values to the specified file
After the OAuth settings file is generated, set the following properties to connect to data:
- OAuthSettingsLocation: Set this to the file containing the encrypted OAuth authentication values. Make sure this file gives read and write permissions to the provider to enable the automatic refreshing of the access token.
- InitiateOAuth: Set this to REFRESH.
Transfer OAuth Settings
Follow the steps below to install the provider on another machine, authenticate, and then transfer the resulting OAuth values.
On a second machine, install the provider and connect with the following properties set:
- OAuthSettingsLocation: Set this to a writable text file.
- InitiateOAuth: Set this to GETANDREFRESH.
On the headless machine, set the following connection properties to connect to data:
- InitiateOAuth: Set this to REFRESH.
- OAuthSettingsLocation: Set this to the path to your OAuth settings file. Make sure this file gives read and write permissions to the provider to enable the automatic refreshing of the access token.
Creating a Custom OAuth App
When to Create a Custom OAuth App
User Account Authentication
Creating a custom OAuth app is required in the web flow. Creating a custom OAuth app is optional for desktop and headless applications; the provider is already registered with Box and you can connect with its embedded credentials.You might want to create a custom OAuth app to change the information displayed when users log into the Box OAuth endpoint to grant permissions to the provider.
Service Account Authentication
You need to create an OAuth app in the service account flow.
Create an OAuth App for User Account Authentication
Follow the procedure below to register an app and obtain the OAuthClientId and OAuthClientSecret.
Create a Custom OAuth App: Desktop
- Log in to your Box developers dashboard and click Create New App. Select your app type (e.g., Custom App).
- Select the Standard OAuth 2.0 (User Authentication) authentication method and click View Your App. (After creating your app, you can click Configuration from the main menu to access your app settings.)
- Set the Redirect URI to http://localhost:33333 or a different port number of your choice. When you connect you will need to set the CallbackURL connection property to this exact URL.
The OAuthClientId and OAuthClientSecret are also displayed in the same page.
- Select the scope of user permissions your app will request.
Create a Custom OAuth App: Web Apps
- Log in to your Box developers dashboard and click Create New App. Select your app type (e.g., Custom App).
- Select the Standard OAuth 2.0 (User Authentication) authentication method and click View Your App. (After creating your app, you can click Configuration from the main menu to access your app settings.)
If you are making a Web application, set the Redirect URI to a page on your Web app you would like the user to be returned to after they have authorized your application.
The OAuthClientId and OAuthClientSecret are also displayed in the same page.
- Select the scope of user permissions your app will request.
Create a Custom OAuth App: Headless Machines
Follow the procedure below to register an app and obtain the OAuth client credentials.
- Log in to your Box developers dashboard and click Create New App. Select your app type (e.g., Custom App).
- Select the Standard OAuth 2.0 (User Authentication) authentication method and click View Your App. (After creating your app, you can click Configuration from the main menu to access your app settings.)
- Set the Redirect URI to http://localhost:33333 or a different port number of your choice.
The OAuthClientId and OAuthClientSecret are also displayed in the same page.
- Select the scope of user permissions your app will request.
Create an OAuth App for Service Account Authentication
Follow the steps below to create an OAuth application and generate a private key. You will then authorize the service account.
- Log in to your Box developers dashboard and click Create New App. Select your app type (e.g., Custom App).
- Select the OAuth 2.0 with JWT (Server Authentication) authentication method and click View Your App. (After creating your app, you can click Configuration from the main menu to access your app settings.)
- Select the application access level and the scope of user permissions your app will request. The enterprise access level enables you to work with existing users in your enterprise. The application-level setting restricts access to App-type users, users that have only API access.
- Generate your RSA keypair. First you need to generate your private key. You can do this by running the following OpenSSL command : "openssl genrsa -aes128 -out private_key.pem 2048" (you can install and use the Cygwin package to run the OpenSSL RSA keypair if you are using Windows).
- Generate your public key by running the following OpenSSL command: "openssl rsa -pubout -in private_key.pem -out public_key.pem". Copy the contents of the generated public_key.pem file and then add it by using the Add and Manage Public Keys option in your app settings.
-
Authorize the application in the enterprise admin console: Click Apps -> Custom Applications -> Authorize New App and enter the Client Id in your app settings.
Note: If you change the JWT access scopes, you will need to reauthorize the application in the enterprise admin console: Click Apps in the main menu and then select the ellipsis button next to your JWT application name. Select Reauthorize App in the menu.
Customizing the SSL Configuration
By default, the provider attempts to negotiate SSL/TLS by checking the server's certificate against the system's trusted certificate store. To specify another certificate, see the SSLServerCert property for the available formats to do so.
Connecting Through a Firewall or Proxy
HTTP Proxies
To connect through the Windows system proxy, you do not need to set any additional connection properties. To connect to other proxies, set ProxyAutoDetect to false.
In addition, to authenticate to an HTTP proxy, set ProxyAuthScheme, ProxyUser, and ProxyPassword, in addition to ProxyServer and ProxyPort.
Other Proxies
Set the following properties:
- To use a proxy-based firewall, set FirewallType, FirewallServer, and FirewallPort.
- To tunnel the connection, set FirewallType to TUNNEL.
- To authenticate, specify FirewallUser and FirewallPassword.
- To authenticate to a SOCKS proxy, additionally set FirewallType to SOCKS5.
Troubleshooting the Connection
To show provider activity from query execution to network traffic, use Logfile and Verbosity. The examples of common connection errors below show how to use these properties to get more context. Contact the support team for help tracing the source of an error or circumventing a performance issue.
- Authentication errors: Typically, recording a Logfile at Verbosity 4 is necessary to get full details on an authentication error.
- Queries time out: A server that takes too long to respond will exceed the provider's client-side timeout. Often, setting the Timeout property to a higher value will avoid a connection error. Another option is to disable the timeout by setting the property to 0. Setting Verbosity to 2 will show where the time is being spent.
- The certificate presented by the server cannot be validated: This error indicates that the provider cannot validate the server's certificate through the chain of trust. If you are using a self-signed certificate, there is only one certificate in the chain.
To resolve this error, you must verify yourself that the certificate can be trusted and specify to the provider that you trust the certificate. One way you can specify that you trust a certificate is to add the certificate to the trusted system store; another is to set SSLServerCert.