Grant permission to a 3rd party application to upload files on behalf of other users
AnsweredI am currently developing an application which gathers images from different sources. Some customers of mine have expressed interest in integrating my application to their box account. In the ideal world, the idea would be that the customer provides a box API key to my application that can be used to upload files to their box.
However, looking at the authentication documentation this seems not to be that straight forward.
- Client based Oauth2 authentication does not seem to be an option as the token expires every 10 minutes, besides, my application would require server side authentication as the uploads happen server-side. However, this seems to be the only authentication option that allows to upload files to the box of an existing box customer.
- Server-side authentication with JWT: Lets say I have created Box Application in the developer console and I have my config.json in place. How can a user allow my application to upload files to their box? If i understand well, this seems to be more oriented for business/enterprise management rather than for interacting with other user's accounts. I do not see how I could upload files to other user accounts.
- Server-side App Token is an authentication method where the application only has access to read and write data to its own account. So this won't work either.
So the question is: How can I authenticate server-side a user and upload files to their box?
Also, what type of pricing plan would the user require in order to allow the integration of my application into box? Am I also required to have a specific type of pricing plan in order to test my integrations?
Kind regards,
Jaime
-
Hi ,
You have a few ways you could approach this. If you go for traditional OAuth 2.0 you can then have a user "log in" with Box and grant you access to write files to their Box account. This would give you a lot of access which might not be what they want, as you will be able to see and write to all their files and folders. The access token for this is valid for 60 minutes, but the refresh token is valid for 60 days, so in theory you can stay authenticated for each user indefinitely.
A better approach might the the following: your application uses JWT to upload the files to a folder owned by your app's service account. You would have a folder for each user you want to share files with, and then you collaborate that Box user into that folder. That way, you don't even need a user to authenticate with you at all. Instead, all you'd need is their email address.
-
I'm working on a very similar setup and came to basically the same conclusion as what you stated. But I have one follow-up question: if you use the approach that you propose, you would be limited by the size of your Box account, right?
So if my app uploads 100GB to a folder that Company A is a collaborator on, and 100GB to a folder that Company B is a collaborator on, etc, I would eventually max out my allotted data, right?
Please sign in to leave a comment.
Comments
3 comments