Downscoped tokens still have too much access
Answered
I am working on a project where I want to downscope a token to only allows uploads into a specific resource folder with no additional permissions.
I have been successful in generating the downscoped token using :
subject_token=&subject_token_type=urn:ietf:params:oauth:token-type:access_token&scope=base_upload&resource=&grant_type=urn:ietf:params:oauth:grant-type:token-exchange
With this returned token, I cannot see any folders higher than this resource however, I am still able to view the folder contents and navigate down the folder structure.
Is there a scope that will only allow the user to use the upload_file endpoint?
Thank you,
-
Hi
At the current time the two that will be the most restrictive for your needs would be base_upload (which you're using) and item_upload. With both of those there will still be a number of other endpoints that will be enabled for deeper inspection of the content in the granted folder. Since Box's folder structures are based on a waterfall methodology, that results in what you're seeing - being able to view folder / file content underneath the folder that permissions were granted for. The only other option that I can think of would be to adjust the folder structure of where the content would be uploaded so that the sub folders are not present. I know that's not ideal in many existing cases.
On the long term side, we are discussing the options for creating more granular level scoping to restrict additional endpoints more easily. These are just discussions / research at the current time, but we do see the need to expand in that direction for more granular control of the access rights of a token.
- Jon
Please sign in to leave a comment.
Comments
2 comments