Exchange an access token for an "as-user" token?

Answered

New post

December 04, 2018 06:54

Hey,

Is it possible to downscope a full access token for a token that behaves as an other user in my enterprise? Kind of like the As-User header but built into a token.

The reason I ask is because I'd like to make app-user accounts that will become members of certain groups and I'd like to pass a token into Box UI Elements that would then display the root folder of these app-users with the correct collaboration folders & files visible.

Or is there a better approach that I missed in the docs?

Comments

5 comments

RobinDeSchepper

December 04, 2018 07:02
I'm gonna rephrase for clarity:
A JWT access token seems to recognize me as my service account, now I'd like a token that recognizes me as if I were another user in the enterprise. Does something like that exist?

If it doesn't exist, what would be the best way to go about showing the root folder of an app-user in Box UI Elements? How do I even find the id of a user's root folder?
0

Comment actions Permalink
cbetta

December 04, 2018 07:37
Totally!

The way to do this, is to instead of requesting a token for your "enterprise" (aka Service Account), to request one for your user. The general gist for that can be found here: https://developer.box.com/docs/work-with-users#section-generate-a-user-access-token

Let me know what language you use and I can share more details.
0

Comment actions Permalink
RobinDeSchepper

December 06, 2018 14:38
Hi

Wow, completely missed those, I was looking in the API reference 😉 I'm using PHP. Could you post an example curl request perhaps?
0

Comment actions Permalink
RobinDeSchepper

December 07, 2018 06:51
bump? 😜
0

Comment actions Permalink
Jason

December 07, 2018 13:00
Hello! You can get a token for your user almost exactly the same way that you would get a token for your service account. The difference is that instead of passing in the string "enterprise" and an enterprise ID, you would pass in "user" and a user ID.

Are you using an SDK to generate your JWT assertion / token right now? Or are you doing it all manually?

You can see a manual example in PHP on this page:

https://developer.box.com/docs/construct-jwt-claim-manually#section-3-create-jwt-assertion
```
// We will need the authenticationUrl  again later,
// so it is handy to define here
$authenticationUrl = 'https://api.box.com/oauth2/token';

$claims = [
  'iss' => $config->boxAppSettings->clientID,
  'sub' => $config->enterpriseID,
  'box_sub_type' => 'enterprise',
  'aud' => $authenticationUrl,
  // This is an identifier that helps protect against
  // replay attacks
  'jti' => base64_encode(random_bytes(64)),
  // We give the assertion a lifetime of 45 seconds 
  // before it expires
  'exp' => time() + 45,
  'kid' => $config->boxAppSettings->appAuth->publicKeyID
];
```
Where instead of filling in sub_type="enterprise" and sub=enterprise_id, you would fill in "user" and user_id.

In other words, the only change you're making is in the construction of the JWT assertion. The API call to obtain the token remains the same.

If you're using an SDK, it may prompt you just for those two variables (enterprise/enterprise_id or user/user_id), kind of like this example in our Node.JS sdk:

https://github.com/box/box-node-sdk/blob/master/docs/authentication.md#server-auth-with-jwt
```
var appUserClient = sdk.getAppAuthClient('user', 'YOUR-APP-USER-ID');
```
^ for getting a user token
```
var serviceAccountClient = sdk.getAppAuthClient('enterprise', 'YOUR-ENTERPRISE-ID');
```
Finally, all of this assumes you have both:
- Enabled the "Generate User Access Tokens" scope from the developer console / app config page
- Reauthorized the app in your admin console.
Hope that helps! Ping back if you have q's or if that works!
0

Comment actions Permalink

Please sign in to leave a comment.