JWT service account: how to generate access tokens for individual user accounts

New post

July 20, 2017 04:21

According to the docs, a service account allows to "generate OAuth 2.0 access tokens for individual user accounts, instead of going through the normal OAuth 2.0 flow."

I am unable to find any documentation on how to achieve this, i.e. given I've setup JWT authentication with the "generate access tokens" permissions, an enterprise admin has authorized my app, and there's a user account X belonging to that enterprise, I want to generate an access token that gives me files read/write access just for account X (so, identical to a user token that I would retrieve from account X if I had the account owner go through the normal Oauth2 flow)

I see there's a new "Tokens Exchange" functionality which I suppose I should use to get a properly scoped access token out of my service account token, but I see no way to specify the account that I want the new token to be valid for

Comments

4 comments

kendomen

July 20, 2017 06:47

Here's a java example for getting a managed user.

public static void main(String[] args) throws Exception {

        File keyFile = new File(PRIVATE_KEY_FILE);
        byte[] fileData = new byte[(int) keyFile.length()];
        DataInputStream dis = new DataInputStream(new FileInputStream(keyFile));
        dis.readFully(fileData);
        dis.close();

        String privateKey = new String(fileData);

        JWTEncryptionPreferences encryptionPref = new JWTEncryptionPreferences();
        encryptionPref.setPublicKeyID(PUBLIC_KEY_ID);
        encryptionPref.setPrivateKey(privateKey);
        encryptionPref.setPrivateKeyPassword(PRIVATE_KEY_PASSWORD);
        encryptionPref.setEncryptionAlgorithm(EncryptionAlgorithm.RSA_SHA_256);

        IAccessTokenCache accessTokenCache = new InMemoryLRUAccessTokenCache(MAX_CACHE_ENTRIES);

        BoxDeveloperEditionAPIConnection api = BoxDeveloperEditionAPIConnection.getAppEnterpriseConnection(
                ENTERPRISE_ID, CLIENT_ID, CLIENT_SECRET, encryptionPref, accessTokenCache);

        BoxUser.Info userInfo = BoxUser.getCurrentUser(api).getInfo();
        System.out.format("Welcome, %s!\n\n", userInfo.getName());

        Iterable managedUsers = BoxUser.getAllEnterpriseUsers(api, "ken.domen@nike.com");
        for (BoxUser.Info managedUser : managedUsers) {
            System.out.println(managedUser.getName() + " " + managedUser.getStatus());
            if (managedUser.getStatus().equals(BoxUser.Status.ACTIVE)) {

                // BoxDeveloperEditionAPIConnection. getAppUserConnection() is used to get AppUser or ManagedUser
                // in this example, I'm getting a managedUser (ken.domen@nike.com)
                BoxDeveloperEditionAPIConnection userApi = BoxDeveloperEditionAPIConnection.getAppUserConnection(managedUser.getID(), CLIENT_ID, CLIENT_SECRET, encryptionPref, accessTokenCache);

                BoxFolder boxFolder = new BoxFolder(userApi, "0");
                Iterable items = boxFolder.getChildren();
                for (BoxItem.Info item : items) {
                    if (item instanceof BoxFile.Info) {
                        BoxFile.Info fileInto = (BoxFile.Info) item;
                        System.out.println("\t" + item.getName());
                    }
                }
            }
        }
    }

dtheodor

July 27, 2017 08:37
Um ok. I suppose if I dig into the Java SDK implementation I will find out how to construct the appropriate HTTP calls? And this snippet gets a personal user token out of a service account token right?
0

Comment actions Permalink
camporesi

July 28, 2017 01:17
I'm running the same code and it works for all the AppUser, but returns error 400 for the managed Users.

JAvadoc says that method getAppUserConnection is for AppUser only.

Should it work also for managed users ?
0

Comment actions Permalink
kendomen

July 28, 2017 07:28
Yes it works for managed users as well. Do you have "Perform Actions as Users" enabled?
0

Comment actions Permalink

Please sign in to leave a comment.