Box equivalent of Google's Service Account?
Hi all,
I am in the process of utiling the Box API to retrieve content and am wondering what options are available when it comes to secured content.
I have recently carried out the same process for Google Apps. There, I set up what is called a Google 'Service Account' with delegated access. What this essentially means is that this account can pretty much access whatever it wants to e.g. private content authored and secured to specific users. I did this via Oauth2 and the GoogleCredential class.
Is there such a user object within Box that, once configured, I could use (via Oauth2) to access all content?
Thanks so much for your time.
-
We recently released Service Accounts for our API. Here is the link to the Service Account documentation.
Another option is to authenticate as the Admin of the Box instance using OAuth2. Then you can use the access token scoped to the Admin and the As-User header to access content.
-
Thanks .
I have gone down the OAuth route but am having some difficulty. Could you advise?
I have set up a JWT. Inside the JWT I have set up all necessary fields. The problem is that I am getting the following error returned:
{"error":"invalid_grant","error_description":"Please check the 'sub' claim."}
The 'sub' value is the exact value that is shown in the Admin Console under 'Enterprise ID' so I am happy that this is correct.
The command that I am running, from the mac terminal, is :
curl https://api.box.com/oauth2/token -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id=4354354&client_secret=4234324&assertion=eyJraWQiOiJ6MXA1NHVhbyIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJKb2UiLCJhdWQiOiJodHRwczovL2FwaS5ib3guY29tL29hdXRoMi90b2tlbiIsImJveF9zdWJfdHlwZSI6ImVudGVycHJpc2UiLCJpc3MiOiJ2bHR6bGh1bWRjcDhpMzRsY2g5OXV2bzdrMG5iM25zdCIsImV4cCI6MTQ3NDgwNDAxMCwianRpIjoieHVuaXF1ZXN0cmluZzEyMzQ1eCJ9.GSRHC9chYOE9DY5K_WvHpX4HRAtCzN6ZBdH26LCgz1gXNg7NxqLC9d_SWNc-UeUCF7lIpshxWUW0XmsIAVOvQZ0Paoaa5htXk-P8IgfgWSusO0RlBiAsUODz2zlMfX9myPNPvYCxeA4D3IA9BIf6MhIDrFm-LcSldh25gatHe5QVu7Q-U54LaREwUzYP8BWhmuVDyz9pNs_nLGIGVum7QZzlm5lBdXmd56YnWYnAr3VcPWztWpoJYQzFoBoSaErURhTDATSy21biVMwD57244U9gjp--zfakLbuqIl545Jl4qRLtZxP-TvmJgXHVTUE7O2lj2W_o8_fGbhaKK5TOcQ' -X POST
In case it is of use, here is the section of java code that goes to create the JWT. I have, of course, changed some values so that I am not sending the actual real-world values:
Map claimsMap = new HashMap();
claimsMap.put("iss", "vltzlhumdcp8i34lch99uvo7k0nb3nst");
claimsMap.put("sub", "3606919");
claimsMap.put("box_sub_type", "enterprise");
claimsMap.put("aud", "https://api.box.com/oauth2/token");
claimsMap.put("jti", "xuniquestring12345x");
claimsMap.put("exp", removed for privacy0);
Map headerMap = new HashMap();
headerMap.put("typ", "JWT");
headerMap.put("kid", "z1p54uao");
headerMap.put("alg", "RS256");
String compactJws = Jwts.builder()
.setClaims(claimsMap)
.setHeader(headerMap)
.setSubject("test")
.signWith(signatureAlgorithm, newKey)
.compact();
As you can see, I have not included the Client ID or Secret. I assume that the error is happening before this is even looked at?
Here is
Might you be able to suggest why this error is ocurring?
Many thanks
-
This post is fascinating to me, as we have been a Box Partner since 2008 and a Google for Work Partner almost as long. With Google Apps, there is pretty clear divide between Apps Scripting and GCP where the the Service Accounts live. Perhaps it would be helpful for a Box Employee that has knowledge to get a detailed reference to or explanation of the way the Service Account works for the Box-Salesforce Integration.
Please sign in to leave a comment.
Comments
3 comments