JWT service account: how to generate access tokens for individual user accounts
According to the docs, a service account allows to "generate OAuth 2.0 access tokens for individual user accounts, instead of going through the normal OAuth 2.0 flow."
I am unable to find any documentation on how to achieve this, i.e. given I've setup JWT authentication with the "generate access tokens" permissions, an enterprise admin has authorized my app, and there's a user account X belonging to that enterprise, I want to generate an access token that gives me files read/write access just for account X (so, identical to a user token that I would retrieve from account X if I had the account owner go through the normal Oauth2 flow)
I see there's a new "Tokens Exchange" functionality which I suppose I should use to get a properly scoped access token out of my service account token, but I see no way to specify the account that I want the new token to be valid for
-
Here's a java example for getting a managed user.
public static void main(String[] args) throws Exception { File keyFile = new File(PRIVATE_KEY_FILE); byte[] fileData = new byte[(int) keyFile.length()]; DataInputStream dis = new DataInputStream(new FileInputStream(keyFile)); dis.readFully(fileData); dis.close(); String privateKey = new String(fileData); JWTEncryptionPreferences encryptionPref = new JWTEncryptionPreferences(); encryptionPref.setPublicKeyID(PUBLIC_KEY_ID); encryptionPref.setPrivateKey(privateKey); encryptionPref.setPrivateKeyPassword(PRIVATE_KEY_PASSWORD); encryptionPref.setEncryptionAlgorithm(EncryptionAlgorithm.RSA_SHA_256); IAccessTokenCache accessTokenCache = new InMemoryLRUAccessTokenCache(MAX_CACHE_ENTRIES); BoxDeveloperEditionAPIConnection api = BoxDeveloperEditionAPIConnection.getAppEnterpriseConnection( ENTERPRISE_ID, CLIENT_ID, CLIENT_SECRET, encryptionPref, accessTokenCache); BoxUser.Info userInfo = BoxUser.getCurrentUser(api).getInfo(); System.out.format("Welcome, %s!\n\n", userInfo.getName()); Iterable managedUsers = BoxUser.getAllEnterpriseUsers(api, "ken.domen@nike.com"); for (BoxUser.Info managedUser : managedUsers) { System.out.println(managedUser.getName() + " " + managedUser.getStatus()); if (managedUser.getStatus().equals(BoxUser.Status.ACTIVE)) { // BoxDeveloperEditionAPIConnection. getAppUserConnection() is used to get AppUser or ManagedUser // in this example, I'm getting a managedUser (ken.domen@nike.com) BoxDeveloperEditionAPIConnection userApi = BoxDeveloperEditionAPIConnection.getAppUserConnection(managedUser.getID(), CLIENT_ID, CLIENT_SECRET, encryptionPref, accessTokenCache); BoxFolder boxFolder = new BoxFolder(userApi, "0"); Iterable items = boxFolder.getChildren(); for (BoxItem.Info item : items) { if (item instanceof BoxFile.Info) { BoxFile.Info fileInto = (BoxFile.Info) item; System.out.println("\t" + item.getName()); } } } } }
Please sign in to leave a comment.
Comments
4 comments