App Users for external/customer enterprises
I was looking at making a web application (will host on own servers) for other Box users and enterprises, not my own.
For regular users, the OAuth process is straight forward, with me creating the Box Application under my account, then using its client ID and secret to request access to a users account, allthough I can only seem to choose between "Read Only" and "Full File" access, I guess thats part of the reason for businesses to get proper enterprise accounts.
But I am not clear on what is the intended processes for enterprise customers. I can set up an application on my account (at https://app.box.com/developers/services/ as described by https://docs.box.com/docs/app-auth ) with a keypair, my webhooks, branding, etc., but I am not clear on the process to then request access to an enterprise customers account.
The document I found, https://docs.box.com/v2.0/docs/app-users, seems to be geared for me to create an app user for my own account, not someone elses, and immediately goes into complex steps that do not seem suitable for most customers.
Is the indended process that I get a customer admin to go the OAuth route like for normal users, requesting the "Manage app users" permission, then do the https://docs.box.com/v2.0/docs/app-users steps and discard that first OAuth token? The permission seems a lot wider than what many people may wish to grant my app, as it appears to be pretty much total access to their enterprise account?
-
To access content from a Managed User's Box Account, you will need to implement the OAuth authentication process.
App Users are designed to be used with JWT Authentication. App Users are API-only users in Box. For example, if you are building an application and need a place to store and access files on behalf of your end users, you can use App Users for this.
-
Yes my server will read and modify files without direct user interaction, and for enterprise I want the option to access files for potentially that entire enterprise account, or maybe somthing more specific like a certain user group.
My server can store and refresh those OAuth tokens indefinitely, but looks like it would be more appropriate for my server to work with JWT?
The option I see is to do OAuth with "Manage app users" and ask an Enterprise admin to authorise it for their account, then use my own code to create the App User and discard the OAuth tokens. Is that the correct process?
EDIT: Actually on testing that does not seem to work, so I am still very unclear on how I am meant to support enterprises, the OAuth seems to only work for single users, such as my personal account.
Having added the enterprise permissions to the app (User Type: App Users, and all scopes except "Manage enterprise" which was disabled), and going through OAuth again with my main/admin account, "/users/" does list all the users I put in my account.
But "/folders/" etc. is still only my specific user, "/users/me" has no "enterprise" value, and if I manually put the enterprise ID (from https://app.box.com/master/settings ) as a JWT claim sub, I get "This app is not authorized by the enterprise admin".
Please sign in to leave a comment.
Comments
2 comments