Rclone box OATH2 Now seems to need you to generate your own client_id and client_secret

Hi All:

It seems that Box no longer allows you to leave the client_id and client_secret fields blank (to use rclone's client) when setting up a box remote.
Instead, you need to log into the box developer site and create your own OAUTH2 custom application and use the client_id and client_secret for your custom app. Don't forget to use http://localhost:53682 for the redirect url.

I'm just getting started with rclone and Box, but I'm having an issue where I enter the command rclone authorize "box" and the Box website says:

There seems to be a problem with this app.

Error: insecure_redirect_uri

Show Error Details

  • response_type=code
  • redirect_uri=http://127.0.0.1:53682/
  • state=<random string>
  • client_id=<random string>

I'm logged into Box in my browser. Have you run into this issue, or do you have any ideas? If not, I can file a bug in github.

Rclone version: 1.47.0
OS: Ubuntu 19.10
Box account type: Enterprise SSO

That is the same issue. You can create your own "application" and use its client id instead of the default rclone id.

It looks like Box have changed the policy over the redirect URI somehow. I'm in contact with the support team about it.

I think this maybe because rclone was recently approved into the app gallery so maybe the rules are tighter there?

I think that there are 2 things.

When you published, existing tokens stopped working in box Enterprise until the administrator whitelists the app. Setting up a new remote gets the problem that the redirect url isn't https. The redirect may be ok if it is "localhost" vs "127.0.0.1" or vice versa or it may be that a published app has to use ssl regardless.

I any case, I suggest you update instructions to emphasize setting up your own custom app.

Foo, that is annoying!

I've asked support to clarify this.

Presumably this only works if the custom app isn't approved?

This solution worked for me.

My workaround is here: http://uploads.lairds.com/kyler/rclone_token.txt

Box does not seem to work via HTTP with "localhost", either.

The box team have unlisted rclone from the app gallery.

This should mean that

  • the 127.0.0.1 redirect works OK
  • the old config works OK.

I had no idea getting rclone listed in the app gallery would cause so much disruption - I'll try to work with box for a smoother transition next time.

1 Like

Closing to consolidate duplicate recent topics. Keeping this one open in favor.