Box oauth2: Invalid grant_type parameter or parameter missing

Asked 7/3, 2013 at 11:28 Answered 26/9, 2023 at 8:30

I don't know what I do wrong, but everytime I tried to obtain the token (after user authentication of course), the result is always Invalid grant_type parameter or parameter missing

Here is my fiddler result:

POST https://api.box.com/oauth2/token HTTP/1.1
Host: api.box.com
Content-Length: 157
Expect: 100-continue
Connection: Keep-Alive

grant_type=authorization_code&code=nnqtYcoik7cjtHQYyn3Af8uk4LG3rYYh&client_id=[myclientId]&client_secret=[mysecret]

Result:

HTTP/1.1 400 Bad Request
Server: nginx
Date: Thu, 07 Mar 2013 11:18:36 GMT
Content-Type: application/json
Connection: keep-alive
Set-Cookie: box_visitor_id=5138778bf12a01.27393131; expires=Fri, 07-Mar-2014 11:18:35 GMT; path=/; domain=.box.com
Set-Cookie: country_code=US; expires=Mon, 06-May-2013 11:18:36 GMT; path=/
Cache-Control: no-store
Content-Length: 99

{"error":"invalid_request","error_description":"Invalid grant_type parameter or parameter missing"}

Even following the curl example gives the same error. Any help would be appreciated.

Edit: tried with additional redirect_uri params but still the same error

POST https://api.box.com/oauth2/token HTTP/1.1
Content-Type: application/json; charset=UTF-8
Host: api.box.com
Content-Length: 187
Expect: 100-continue
Connection: Keep-Alive

grant_type=authorization_code&code=R3JxS7UPm8Gjc0y7YLj9qxifdzBYzLOZ&client_id=*****&client_secret=*****&redirect_uri=http://localhost

Result:

HTTP/1.1 400 Bad Request
Server: nginx
Date: Sat, 09 Mar 2013 00:46:38 GMT
Content-Type: application/json
Connection: keep-alive
Set-Cookie: box_visitor_id=513a866ec5cfe0.48604831; expires=Sun, 09-Mar-2014 00:46:38 GMT; path=/; domain=.box.com
Set-Cookie: country_code=US; expires=Wed, 08-May-2013 00:46:38 GMT; path=/
Cache-Control: no-store
Content-Length: 99

{"error":"invalid_request","error_description":"Invalid grant_type parameter or parameter missing"}

Giefer answered 7/3, 2013 at 11:28 Comment(1)

Check John Hoerr reply: #15438025 – Classic 18/2, 2016 at 19:5

Looks like Box requires a correct Content-Type: application/x-www-form-urlencoded request header in addition to properly URL encoding the parameters. The same seems to apply to refresh and revoke requests.

Also, per RFC 6749, the redirect_uri is only

REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.

Engird answered 15/3, 2013 at 16:45 Comment(3)

Thank you. The root issue is not having a correct content-type. In the end I removed the redirect_uri from the form request – Giefer 21/3, 2013 at 11:15

I was wondering about that redirect! Some apps don't need a redirect, like android, so it was a mystery why one was needed on the request. Thank you! – Ulrikaumeko 6/5, 2015 at 21:15

I had a space at the end of my grant_type by accident. Removed it and it worked perfectly. – Battles 13/12, 2018 at 1:38

I was facing a similar issue.

The problem is not with Content-Type.
The issue is with the lifecycle of code you receive.

One key aspect not mentioned in most places is that the code you get on redirect lasts only 30 seconds.

To get the access token and refresh token, you have to make the post request in 30 seconds or less.

If you fail to do that, you get the stated error. I found the info here.

Below code worked for me. Keep in mind, the 30-second rule.

import requests

url = 'https://api.box.com/oauth2/token'

data = [
    ('grant_type', 'authorization_code'),
    ('client_id', 'YOUR_CLIENT_ID'),
    ('client_secret', 'YOUR_CLIENT_SECRET'),
    ('code', 'XXXXXX'),
]

response = requests.post(url, data=data)

print(response.content)

Hope that helps.

Khiva answered 28/2, 2018 at 17:35 Comment(2)

Thanks man, I was thinking that API I was using was broken, but the problem was this 30 seconds – Chantell 31/1, 2019 at 2:53

This should be the accepted answer! I couldn't fix the issue with even a normal request via burp (I'm still a novice on how to do them right) but this solved the problem for me – Jape 4/1, 2021 at 11:37

You are missing the redirect URI parameter. Try:

POST https://api.box.com/oauth2/token HTTP/1.1
Host: api.box.com
Content-Length: 157
Expect: 100-continue
Connection: Keep-Alive

grant_type=authorization_code&code=nnqtYcoik7cjtHQYyn3Af8uk4LG3rYYh&client_id=[myclientId]&client_secret=[mysecret]&redirect_uri=[your-redirect-uri]

Wulfila answered 7/3, 2013 at 16:44 Comment(0)

I have also face same issue implementing oauth2. I have add Content-Type: application/x-www-form-urlencoded. When I add content-type my issue solved.

Check and add valid content-type.

Mess answered 17/11, 2015 at 13:46 Comment(0)

Not sure who might need this in the future but be sure you're sending a POST request to get the access token and not trying to retrieve it by using GET or if you're testing- pasting in the address bar won't work, you need to send a POST request with the data in the BODY and not as query parameter.

Also the code usually lasts for a few seconds, so you need to use it as soon as its sent back.

Winer answered 3/5, 2019 at 21:24 Comment(0)

After trying all the solutions, if the error is still the same, then try this middleware in your server/app/index:

app.use(express.urlencoded({ extended: true }));

Zacek answered 26/9, 2023 at 8:30 Comment(1)

Remember that Stack Overflow isn't just intended to solve the immediate problem, but also to help future readers find solutions to similar problems, which requires understanding the underlying code. This is especially important for members of our community who are beginners, and not familiar with the syntax. Given that, can you edit your answer to include an explanation of what you're doing and why you believe it is the best approach? – Divergency 6/10, 2023 at 1:26

Recommended topics

Hot tags