JWT token - does not access BOX account
AnsweredI am trying to use BOX content api's to find and download content from box from an external app.
The idea using my custom app to search and retrieve content from box. For example take HTML file and load to local or cloud platform / system. So the BOX part from what I can tell should work like this
- create a box app using OAuth2.0 with JWT
- create and sign a JWT
- Use this JWT as assertion and request a token (https://api.box.com/oauth2/token)
- Use that token to perform requests (such as /2.0/search). Specify the token in authorization header for calls.
Using this method and then performing requests ... it returns expected data when using developer token.... but not when generating the token. For example I search for a file that I know exists....
JSON result using app generated token:
{ "total_count": 0, "entries": [], "limit": 30, "offset": 0 }
Using developer or BOX UI auth
{ "total_count": 73, "entries": [ { "type": "file", "id": "] ...tons of data here :)... } ], "limit": 30, "offset": 0 }
-
Hi kendomen
Thanks for reply
Good question.
To eliminate app permission being the issue I have checked that and every permission. I tried creating app users and using their tokens also without success.
Below settings, all checked
Content Read and write all files and folders stored in Box Enterprise Manage enterprise Manage users Manage app users Manage groups Manage enterprise properties Manage retention policies Manage webhooks v2 Select the set of scopes you will request users authorize when using your app Advanced Features: Perform actions on behalf of users Generate access tokens for users
-
Also a good thought. I checked and it was authorized. I reauthorized and tried api calls and same issue
-
Good afternoon kp,
I would tell that given that you do not receive an error but an empty array of results mean that everything is correctly set up.
So... where is your problem? Basically, I think that it is related to the user you are using or the authentication method. There are the Enterprise and the User authentication modes. I understand that you are using the second one with a technical user, is that right? The technical user is assigned to any of folder where you want to find content? If the user is not added as a previewer at least no result will be found.
Thanks
-
Hello kp,
basically, if you have created an APPUser will have an ID that is an autogenerated mail like this one:
AppUser_000000_j0f0Z0RAS4 (at) boxdevedition (dot) com
That mail can be used as any other user, so you go to any folder with your account, click add collaborator and paste that mail account with the desired privileges. That user has to be able to do any action is allowed to then.
Hope this helps.
-
Hallelujah that works - thanks!
I really don't understand though how this is meant to work. The api does not let you assign permissions to the objects in the BOX account itself. So you would have to either make the user load stuff through your api itself to ever access it... or workaround the process itself by creating the app user and adding that user to the folders you want in scope.
Do you know if there is a way to just add the app itself vs app user - as collaborator? Or add a group (as collaborator) then add the user to the group?
-
Hello Kp!
I am glad that we hit the right key 😉
I understand that there are two ways to face this situation as you said:
- The app user is the one with the control. So, with this user you create folders and invite collaborators with different roles, being the APP User the Owner of those folders.
- The app user has to be invited because it is not the owner. As you said, you can add the appuser on a group and then as any other user this will have access only to what has to have access.
Probably, the real situation can end on a hybrid situation.
I think that what really matters on this aspect is this piece of configuration:
If the application has enterprise access then can access everything in theory.
If you have chosen Application then it behaves as a regular user: can create stuff on its own account but has to be invited to do things on folders of others.
Regards
-
Just to add... I thought some of these ideas were a strange way to manage permissions... since it ignored the ACL and permissions already in BOX.
A BOX support person suggested add As-User header https://docs.box.com/reference#as-user-1 .... which turns out is exactly what I need here.
- Generate the token using the "box_sub_type=enterprise"
- Assuming that your app is being used by BOX user... and you know which user that is - get that user's id
- Make calls (where needed) using that users id in the As-User header
The api will use the already established BOX file permissions.
-
I have tried this approach and hit a wall, my Application access is set to Enterprise, my code sets the 'box_sub_type' property to 'enterprise' I have also authorized the app on Entreprise settings with all permissions, but everytime I set the header 'As-User:xxxxx' I get the error
Bearer realm="Service", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token."
if I don't set the header then I get and empty list of folders.
The accepted answer is ok, I haven't tried it as yet mainly because I think your solution should be the correct one.
Do you have any suggestions on what else can I try?
Kind Regards
Please sign in to leave a comment.
Comments
14 comments