Box - API Connector JWT Authentication "Invalid Client Credentials", "No Start Line", "Wrong Tag"

Hello all. Has anyone gotten Box to authenticate properly using the API connector?

I’m attempting to authenticate over JWT using the provided method in the API connector but am running into a number of issues, most likely due to my general unfamiliarity with the authentication process. I’m using my Bubble login email address for the “Iss (account email)” field.

The API Connector would not take the private key generated in the .json downloaded from Box’s developer page. I extracted the private key from the .json configuration file, removed all the “\n” characters, tried to use it for JWT authentication, and would receive one of two errors:

and

The difference between the two errors was formatting. I would receive “no start line” until I copied the entire block into notepad and re-copied and pasted back into the private key box in the API connector, then I was faced with “wrong tag”. I believe this is due to base64 vs base64URL encoding, but I’m not entirely sure.

To get past these errors, I had to create an RSA key pair manually through OpenSSL to generate a .pem file by using the following commands in CMD (taken from here)

openssl genrsa -aes256 -out private_key.pem 2048

openssl rsa -pubout -in private_key.pem -out public_key.pem

When I extracted the public/private key from the manually generated .pem files and added them to my app settings in Box, I got a new error “could not read password” when initializing the call in Bubble because OpenSSL forced me to provide a passphrase when creating the key pair, and I don’t see a way to specify that passphrase in the body of the API Connector prompt, unless I’m missing something. To remove the passphrase from the private key, I had to use the following command to basically take the private key in and output it without a passphrase.

openssl rsa -in private_key.pem -out private_key_2.pem

After extracting the private key from the newest .pem file (private_key_2.pem) I have the current error “invalid client credentials”. Unfortunately, I think recreating the key in this method broke its association with Box, causing the current error, but I could be wrong. So unless there’s a way to provide a passphrase to access the original private key generated alongside the original public key I provided to Box, I don’t see a way to authenticate over JWT unless I have a serious misunderstanding of the process (which is very possible).

Also, @emmanuel , in the API Connector under the JSON Web Token method, the box for the private key prompts to enter what’s in between the -----BEGIN RSA PRIVATE KEY------ and -----END RSA PRIVATE KEY----- header/footer, but I think the exclusion of these lines is what was causing the “no start line” error. You might want to adjust your wording on that particular box to note that these header/footer lines do need to be present in the text body.

Any and all help/ideas would be hugely appreciated, I feel we’re very close to having this done but a lack of fundamental knowledge on the JWT process may mean we’re missing something simple. Thanks for taking a look.

Greg

I would be interested in trying to set this JWT based Authentication to be able to extract Google Analytics data and use it in the Bubble app. Did anyone try this? The previous threads on this topic seem to be quite old, when this method was not supported by Bubble. Now that it is supported, Some pointers oh how to configure it would be helpful.

Two questions:

1. What is the meaning of Access token end-point? Where do I find the value for this?
2. The Private key that we need to paste here, should it include -----BEGIN PRIVATE KEY----- & -----END PRIVATE KEY-----, or is this automatically added by Bubble? The wordings seem to be slightly confusing.

Thanks,
Paritosh Mehta

You definitely need the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- in the API Connector “Private Key” box, it will return a “no start line” error without them. I also had to copy/paste the string into Notepad, then back into the “Private Key” box to get it to move past “no start line”, it seems a little buggy. I agree that the wording is confusing and needs to be updated.

I gave up on this method and am now using AWS, Zapier, a simple PSQL database, and the SQL DB Connector plugin to get around the Box authentication issue since I wasn’t getting any answers. I recommend anyone running into these problems to do the same, it’s pretty straightforward and only took me an hour or two to setup, compared to the several hours I spent racking my brain on the authentication. Feel free to reach out to me here if you need any help, I wouldn’t want anyone to go through the same painstaking process I did without any help.

The Access token end-point should be provided by the service providing authentication, it’s the URL for making the token exchange. Box’s was https://api.box.com/oauth2/token (taken from here)

Also, here is a very helpful Bubble post walking through the AWS setup.

This topic was automatically closed after 70 days. New replies are no longer allowed.