Ouath authentication with Box 1.67 and later is failing

bivalence · November 7, 2024, 1:25pm

What is the problem you are having with rclone?

Configuring a Box remote with version 1.67 and later fails with:

Version: 1.67 (version that comes with Fedora 41) and 1.68.1
I also installed the latest upstream build (1.68.1) and:

$ rclone version
rclone v1.68.1
- os/version: fedora 41 (64 bit)
- os/kernel: 6.11.5-300.fc41.x86_64 (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.23.1
- go/linking: static
- go/tags: none

But if I revert to 1.64.2, it configures the remote fine.

Which cloud storage system are you using?

Box

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

rclone -vvv config create box box client_id="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

Please run 'rclone config redacted' and share the full output.

rclone config redacted
[box]
type = box
client_id = XXX

rclone lsd box:
2024/11/07 07:23:00 CRITICAL: Failed to create file system for "box:": failed to configure Box: empty token found - please run "rclone config reconnect box:"

A log from the command that you were trying to run with the `-vv` flag

Output from the 1.67 client (1.68.1 client returns the same output):

rclone -vvv config create box box client_id="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
2024/11/06 13:59:37 DEBUG : rclone: Version "v1.67.0" starting with parameters ["rclone" "-vvv" "config" "create" "box" "box" "client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"]
2024/11/06 13:59:37 DEBUG : Using config file from "/home/bmatteso/.config/rclone/rclone.conf"
2024/11/06 13:59:37 DEBUG : Saving config "client_id" in section "box" of the config file
2024/11/06 13:59:37 DEBUG : box: config in: state="", result=""
2024/11/06 13:59:37 DEBUG : box: config out: out=&{State:*oauth,,, Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2024/11/06 13:59:37 DEBUG : box: config in: state="*oauth,,,", result=""
2024/11/06 13:59:37 DEBUG : box: config out: out=&{State:*oauth-confirm,,, Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2024/11/06 13:59:37 DEBUG : box: config in: state="*oauth-confirm,,,", result=""
2024/11/06 13:59:37 DEBUG : Auto confirm is set, choosing default "true" for state "*oauth-islocal,,,", override by setting config parameter "config_is_local"
2024/11/06 13:59:37 DEBUG : box: config out: out=&{State:*oauth-islocal,,, Option:<nil> OAuth:<nil> Error: Result:true}, err=<nil>
2024/11/06 13:59:37 DEBUG : box: config in: state="*oauth-islocal,,,", result="true"
2024/11/06 13:59:37 DEBUG : box: config out: out=&{State:*oauth-do,,, Option:<nil> OAuth:<nil> Error: Result:}, err=<nil>
2024/11/06 13:59:37 DEBUG : box: config in: state="*oauth-do,,,", result=""
2024/11/06 13:59:37 NOTICE: Make sure your Redirect URL is set to "http://127.0.0.1:53682/" in your custom config.
2024/11/06 13:59:37 DEBUG : Starting auth server on 127.0.0.1:53682
2024/11/06 13:59:37 NOTICE: If your browser doesn't open automatically go to the following link: http://127.0.0.1:53682/auth?state=mYL-He2UrsLy3xAkuiRQ4Q
2024/11/06 13:59:37 NOTICE: Log in and authorize rclone for access
2024/11/06 13:59:37 NOTICE: Waiting for code...
2024/11/06 13:59:38 DEBUG : Redirecting browser to: https://app.box.com/api/oauth2/authorize?access_type=offline&client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=http%3A%2F%2F127.0.0.1%3A53682%2F&response_type=code&state=mYL-He2UrsLy3xAkuiRQ4Q
2024/11/06 13:59:58 DEBUG : Received GET request on auth server to "/"
2024/11/06 13:59:58 NOTICE: Got code
2024/11/06 13:59:58 DEBUG : Closing auth server
2024/11/06 13:59:58 DEBUG : Closed auth server with error: accept tcp 127.0.0.1:53682: use of closed network connection
2024/11/06 13:59:59 DEBUG : box: config out: out=<nil>, err=failed to get token: oauth2: "invalid_client" "The client credentials are invalid"
Error: failed to get token: oauth2: "invalid_client" "The client credentials are invalid"
Usage:
  rclone config create name type [key value]* [flags]

Flags:
      --all               Ask the full set of config questions
      --continue          Continue the configuration process with an answer
  -h, --help              help for create
      --no-obscure        Force any passwords not to be obscured
      --non-interactive   Don't interact with user and return questions
      --obscure           Force any passwords to be obscured
      --result string     Result - use with --continue
      --state string      State - use with --continue

Use "rclone [command] --help" for more information about a command.
Use "rclone help flags" for to see the global flags.
Use "rclone help backends" for a list of supported services.

2024/11/06 13:59:59 Fatal error: failed to get token: oauth2: "invalid_client" "The client credentials are invalid"

asdffdsa · November 7, 2024, 1:45pm

welcome to the forum,

i did a test using v1.68.1, worked fine but need to add client_secret

rclone -vv config create box box client_id=redacted client_secret=redacted

bivalence · November 7, 2024, 3:22pm

We never needed to do that before 1.67. Do you know if this was an intentional change? We normally run the command as I included above and we authenticate via our corporate SSO. Don't think we could use this if we had to distribute a client secret to everyone.

asdffdsa · November 7, 2024, 3:37pm

i do not have a way to test that.

maybe this can help?
I have been using rclone with a box enterprise account that uses SSO

can you post an example of a working remote?

bivalence · November 7, 2024, 4:38pm

Working remote "box:"

rclone config redacted
[box]
type = box
client_id = XXX
token = XXX

Version:

rclone version
rclone 1.64.2
- os/version: fedora 40 (64 bit)
- os/kernel: 6.11.5-200.fc40.x86_64 (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.21.6
- go/linking: dynamic
- go/tags: none

About:

rclone about box:
Total:   909.495 TiB
Used:    1.569 TiB
Free:    907.926 TiB

asdffdsa · November 7, 2024, 4:48pm

i do not know why latest rclone has the issue, maybe a bug, maybe a change.

not sure i understand you setup but the end-user would have access to the rclone config file with the token?

so, what is the issue if the end-user has access to the client secret?

bivalence · November 7, 2024, 4:55pm

I was assuming the client_secret is meant to be kept secret. But I guess that depends on what can be done with this client_secret, and I don't know what can be done with it.

asdffdsa · November 7, 2024, 5:13pm

afiak, the client_secret is not a security risk.
if you revoke the app used by rclone from box.com then both, the client_id and client_secret are useless.

in the end, need to protect the token
i am not an expert of box.com, but you can confirm that, ask box.

by way of an example:

if i have a box remote with client_id + client_secret

rclone config redacted box:
[box]
type = box
client_id = XXX
client_secret = XXX
token = XXX

rclone lsd box:
          -1 2023-08-15 10:07:35        -1 zork

and then i edit that same exact remote, to remove client_id and client_secret, the remote still works

rclone config redacted box:
[box]
type = box
token = XXX

rclone lsd box:
          -1 2023-08-15 10:07:35        -1 zork

minesheep · November 8, 2024, 6:08pm

Be aware that box.com is a terrible company, If you need to use it at least have a backup. They have hold rclone users data before with no way getting it back. If you want to read more on that. Read "Unlimited" alternatives to Google Drive, what are the options? (search for box or box.com)

kapitainsky · November 8, 2024, 6:29pm

To be fair it happens only when people use Box as something what it is not - cheap cloud storage... And abuse T&Cs in the process.

For their indented use I know quite few happy users.

system · December 8, 2024, 6:29pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.