I have a JWT app with the following settings:
I have confirmed with my box admin that these settings are authorized:
I connect to the api using the python sdk, using three different accounts, all of which do not have permission to create webhooks. The service account, an app user, and my own account using a developer token. I create the service account client as follows:
config = json.load(open('app_config.json')) CLIENT_ID = config['boxAppSettings']['clientID'] CLIENT_SECRET = config['boxAppSettings']['clientSecret'] PUBLIC_KEY_ID = config['boxAppSettings']['appAuth']['publicKeyID'] PRIVATE_KEY = config['boxAppSettings']['appAuth']['privateKey'] PASSPHRASE = config['boxAppSettings']['appAuth']['passphrase'] ENTERPRISE_ID = config['enterpriseID'] auth = JWTAuth(CLIENT_ID, CLIENT_SECRET, ENTERPRISE_ID, PUBLIC_KEY_ID,rsa_private_key_data=PRIVATE_KEY,rsa_private_key_passphrase=PASSPHRASE) auth.authenticate_instance() client = Client(auth)
I then get a client where the service account is acting on behalf of an app user I've created:
appuser = client.user(user_id='XXXXXXXXXX') appClient = client.as_user(appuser)
I then attempt to create a webhook on a folder:
folder_id = 'XXXXXXXXXX' resource = appClient.folder(folder_id=folder_id) notification_url = 'a_real_url_that_you_cant_have' hooks = ['SHARED_LINK.CREATED','SHARED_LINK.DELETED'] webhook = appClient.create_webhook(resource, hooks, notification_url)
The service account and app user were added as co-owners on the folder that is used in this call. The folder is retrieved successfully so I am assuming authorization went ok. However, no matter which client I use, the service account, the app user, or a different DevelopmentClient, the api returns the 403. Am I doing something wrong?
Please sign in to leave a comment.