Level up your Box knowledge with brand new learning paths on Box University. Visit training.box.com to get started

Confused regarding OAuth2 or Oauth with JWT, and restricting access to user

Answered
New post

Comments

2 comments

  • Jason

    Hi ,

     

    This is a great question! What you're looking for is probably best done via Server Authentication (OAuth2 with JWT), using Application Access. 

     

    If you were to restrict access on Box side of things via Developer Console Settings, only Server Auth restricts a particular app (Client ID) to make calls for:

    1. Its Service Account, created when the app is authorized in the Admin Console
    2. Its App Users
    3. and no one else

    On the other hand, if you were to use Standard Authentication, there's not a way to restrict (whitelist) which users can get access tokens with your App when using Standard OAuth2. 

     

    One note that might help you here is the fact that there's two things that Box always checks for access:

    1. The App's scopes (users/files/folders/enterprise settings/etc)
    2. The User's "Point of View" with respect to collaborations

    You don't necessarily have to restrict everything from the App's side of things via scopes. Your Service Account/App Users will have their own access control based on their collaborations, and taking advantage of the ability to have multiple users is the recommended way to handle permissions. For example, if you created an App User under the Service Account (generally best practice to not use service accounts for storage), that app user would only ever have access to its own folder structure, and your application's code (using the client ID configured on Box to be restricted to Application Access only) would only ever have access to get tokens for your app user. 

     

    Hopefully that helps and enlightens things some!

     

    Thanks,

    Jason

     

    0
    Comment actions Permalink
  • Vancoding

    Very helpful, as I was fairly certain I understood application permissions, but your answer helped me dive in a bit deeper and code up some tests to verify that collaborative permissions rule in the end. Thanks again!

    0
    Comment actions Permalink

Please sign in to leave a comment.