JWT Connection 'sub'specified.

potter-potter commented 1 year ago

[ x] I have checked that the SDK documentation doesn't solve my issue.
[ x] I have checked that the API documentation doesn't solve my issue.
[x ] I have searched the Box Developer Forums and my issue isn't already reported (or if it has been reported, I have attached a link to it, for reference).
[ x] I have searched Issues in this repo and my issue isn't already reported.

Description of the Issue

I can not get JWT to work. I have tried so many times. I keep getting boxsdk.exception.BoxAPIException: Message: Please check the 'sub' claim. The 'sub' specified is invalid.

Steps to Reproduce

I don't have an enterprise account. I just have a free account. But I'm developing for a service that will connect to Box to download files and process them.

I have tried this several times in several different ways. But this is the simplest test:

from boxsdk import JWTAuth, Client
auth = JWTAuth.from_settings_file('path...to...my...json...file/0_blabla_config.json')
client = Client(auth)
service_account = client.user().get()

I was successful with the Developer token with the developer code. But the end product will use JWT/Oauth

Expected Behavior

Exected to get the authentication.

Error Message, Including Stack Trace

"POST https://api.box.com/oauth2/token" 400 109 {'Date': 'Sat, 01 Jul 2023 02:02:07 GMT', 'Content-Type': 'application/json', 'Transfer-Encoding': 'chunked', 'Strict-Transport-Security': 'max-age=31536000', 'Set-Cookie': 'box_visitor_id=#######; expires=Mon, 01-Jul-2024 02:02:07 GMT; Max-Age=31622400; path=/; domain=.box.com; secure; SameSite=None, bv=OPS-46278; expires=Sat, 08-Jul-2023 02:02:07 GMT; Max-Age=604800; path=/; domain=.app.box.com; secure, cn=62; expires=Mon, 01-Jul-2024 02:02:07 GMT; Max-Age=31622400; path=/; domain=.app.box.com; secure, site_preference=desktop; path=/; domain=.box.com; secure', 'Cache-Control': 'no-store', 'Via': '1.1 google', 'Alt-Svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000'} {'error': 'invalid_grant', 'error_description': "Please check the 'sub' claim. The 'sub' specified is " 'invalid.'}

Traceback (most recent call last): File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/auth/oauth2.py", line 284, in _execute_token_request self._check_closed() File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/session/session.py", line 138, in request response = self._prepare_and_send_request(method, url, **kwargs) File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/session/session.py", line 362, in _prepare_and_send_request self._raise_on_unsuccessful_request(network_response, request, raised_exception) File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/session/session.py", line 271, in _raise_on_unsuccessful_request raise BoxAPIException( boxsdk.exception.BoxAPIException: Message: Please check the 'sub' claim. The 'sub' specified is invalid. Status: 400 Code: invalid_grant Request ID: None Headers: {'Date': 'Sat, 01 Jul 2023 02:02:07 GMT', 'Content-Type': 'application/json', 'Transfer-Encoding': 'chunked', 'Strict-Transport-Security': 'max-age=31536000', 'Set-Cookie': 'box_visitor_id=#######; expires=Mon, 01-Jul-2024 02:02:07 GMT; Max-Age=31622400; path=/; domain=.box.com; secure; SameSite=None, bv=OPS-46278; expires=Sat, 08-Jul-2023 02:02:07 GMT; Max-Age=604800; path=/; domain=.app.box.com; secure, cn=62; expires=Mon, 01-Jul-2024 02:02:07 GMT; Max-Age=31622400; path=/; domain=.app.box.com; secure, site_preference=desktop; path=/; domain=.box.com; secure', 'Cache-Control': 'no-store', 'Via': '1.1 google', 'Alt-Svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000'} URL: https://api.box.com/oauth2/token Method: POST Context Info: None

The above exception was the direct cause of the following exception:

Traceback (most recent call last): File "test.py", line 7, in service_account = client.user().get() File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/util/api_call_decorator.py", line 63, in call return method(*args, kwargs) File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/object/base_object.py", line 70, in get box_response = self._session.get(url, params=params, headers=headers) File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/session/session.py", line 92, in get return self.request('GET', url, kwargs) File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/session/session.py", line 138, in request response = self._prepare_and_send_request(method, url, kwargs) File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/session/session.py", line 335, in _prepare_and_send_request network_response = self._send_request(request, kwargs) File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/session/session.py", line 564, in _send_request access_token = self._renew_session(None) File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/session/session.py", line 512, in _renew_session new_accesstoken, = self._oauth.refresh(access_token_used) File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/auth/oauth2.py", line 221, in refresh access_token, refresh_token = self._refresh(access_token_to_refresh) File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/auth/server_auth.py", line 39, in _refresh new_access_token = self.authenticate_instance() File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/auth/server_auth.py", line 102, in authenticate_instance return self._authenticate(self._enterprise_id, self.ENTERPRISE_SUBJECT_TYPE) File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/auth/server_auth.py", line 137, in _authenticate raise ex File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/auth/server_auth.py", line 123, in _authenticate return self._fetch_access_token(subject_id, subject_type, date) File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/auth/jwt_auth.py", line 183, in _fetch_access_token return self.send_token_request(data, access_token=None, expect_refresh_token=False)[0] File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/auth/oauth2.py", line 351, in send_token_request token_response = self._execute_token_request(data, access_token, expect_refresh_token) File "/Users/#######/Documents/temp/box_test/box-python-sdk-ff19bc36bc47c7a0c929e73d33fc8f4b38450517/boxsdk/auth/oauth2.py", line 284, in _execute_token_request self._check_closed() boxsdk.exception.BoxOAuthException: Message: Please check the 'sub' claim. The 'sub' specified is invalid. Status: 400 URL: https://api.box.com/oauth2/token Method: POST Headers: {'Date': 'Sat, 01 Jul 2023 02:02:07 GMT', 'Content-Type': 'application/json', 'Transfer-Encoding': 'chunked', 'Strict-Transport-Security': 'max-age=31536000', 'Set-Cookie': 'box_visitor_id=#######; expires=Mon, 01-Jul-2024 02:02:07 GMT; Max-Age=31622400; path=/; domain=.box.com; secure; SameSite=None, bv=OPS-46278; expires=Sat, 08-Jul-2023 02:02:07 GMT; Max-Age=604800; path=/; domain=.app.box.com; secure, cn=62; expires=Mon, 01-Jul-2024 02:02:07 GMT; Max-Age=31622400; path=/; domain=.app.box.com; secure, site_preference=desktop; path=/; domain=.box.com; secure', 'Cache-Control': 'no-store', 'Via': '1.1 google', 'Alt-Svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000'}

Screenshots

Versions Used

Python SDK: 3.7.2 (latest) Python: Python 3.8.15

mwwoda commented 1 year ago

Hi @potter-potter It looks like it may be caused by https://support.box.com/hc/en-us/community/posts/15257013694995-JWT-authentication-Please-check-the-sub-claim-The-sub-specified-is-invalid-. You may want to check that the enterprise ID is set to 0 in the config file.

AFAIK recently some account capabilities have been restricted for free accounts - https://support.box.com/hc/en-us/community/posts/16310194663315-Free-developer-accounts-PLEASE-READ. If you are affected by this, the best solution would probably be to get sandbox if you are working for a client with an enterprise ID, or try to switch to OAuth.

ryannikolaidis commented 1 year ago

This looks very similar to this issue reported a few months ago. Was there a solution or still in progress?

barduinor commented 1 year ago

Unfortunately we don't have a solution for this at the moment.

See if any of the workarounds described here, work for you.

We are sorry for this situation and understand the high impact this may cause.

mwwoda commented 1 year ago

I'm closing this issue because it's not caused by the sdk itself. Please use the workaround provided by @barduinor

box / box-python-sdk