Java SDK - get 403 error while try to get list files as user with "login verification" option

New post

Comments

11 comments

  • mwiller

     Could you provide a bit more detail about the 403 error you're seeing?  If possible, pasting the full error response (minus any sensitive information) would be very helpful to troubleshoot exactly what the issue is.

    0
    Comment actions Permalink
  • mklinchin

    Shure. I have two Box co-admin account with one with 2factor autentication an other without. In debug I was get Access-token and run "curl" command. This my results

    //First test for account without 2factor authentication:

    ##get list files for co-admin
    curl "https://api.box.com/2.0/folders/0/items?limit=100&offset=0" -H @{"Authorization"="Bearer /*myAccessCode*/"}


    StatusCode        : 200
    StatusDescription : OK
    Content           : {"total_count":30,"entries":[{"type":"folder","id":"4***phone number removed for privacy***","sequence_id":"0","etag":"0","name":"..boxtestfor bryan.."},{"type":"folder","id":"4***phone number removed for privacy***","sequence_id":"0","etag":"0","name":"00...
    RawContent        : HTTP/1.1 200 OK
                        Strict-Transport-Security: max-age=31536000
                        Vary: Accept-Encoding
                        BOX-REQUEST-ID: 0f54smhsrcesrcpm7htkks8tcht
                        Age: 1
                        Transfer-Encoding: chunked
                        Connection: keep-alive
                        Cache-Cont...
    Forms             : {}
    Headers           : {[Strict-Transport-Security, max-age=31536000], [Vary, Accept-Encoding], [BOX-REQUEST-ID, 0f54smhsrcesrcpm7htkks8tcht], [Age, 1]...}
    Images            : {}
    InputFields       : {}
    Links             : {}
    ParsedHtml        : mshtml.HTMLDocumentClass
    RawContentLength  : 3315

    ##get list files for user with id-24901550**
    curl "https://api.box.com/2.0/folders/0/items?limit=100&offset=0" -H @{"Authorization"="Bearer /*MyAccessToken*/"; "AS-User"="24901550**"}


    StatusCode        : 200
    StatusDescription : OK
    Content           : {"total_count":6,"entries":[{"type":"folder","id":"3***phone number removed for privacy***","sequence_id":"0","etag":"0","name":"Folder 1"},{"type":"folder","id":"3***phone number removed for privacy***","sequence_id":"0","etag":"0","name":"Folder 2"},{"ty...
    RawContent        : HTTP/1.1 200 OK
                        Strict-Transport-Security: max-age=31536000
                        Vary: Accept-Encoding
                        BOX-REQUEST-ID: 0c9482vdr3rdctht1nq4ktgsl95
                        Age: 0
                        Transfer-Encoding: chunked
                        Connection: keep-alive
                        Cache-Cont...
    Forms             : {}
    Headers           : {[Strict-Transport-Security, max-age=31536000], [Vary, Accept-Encoding], [BOX-REQUEST-ID, 0c9482vdr3rdctht1nq4ktgsl95], [Age, 0]...}
    Images            : {}
    InputFields       : {}
    Links             : {}
    ParsedHtml        : mshtml.HTMLDocumentClass
    RawContentLength  : 683

     

     

    ==================================================

    now same test for user with 2factor authentication

     

    curl "https://api.box.com/2.0/folders/0/items?limit=100&offset=0" -H @{"Authorization"="Bearer /*myAccessToken*/"}


    StatusCode        : 200
    StatusDescription : OK
    Content           : {"total_count":45,"entries":[{"type":"folder","id":"***number removed for privacy***38","sequence_id":"2","etag":"2","name":"01"},{"type":"folder","id":"2***phone number removed for privacy***","sequence_id":"1","etag":"1","name":"02"},{"type":"folder...
    RawContent        : HTTP/1.1 200 OK
                        Strict-Transport-Security: max-age=31536000
                        Vary: Accept-Encoding
                        BOX-REQUEST-ID: 0tkinn03h2mn23gufe8r4nhg5qq
                        Age: 0
                        Transfer-Encoding: chunked
                        Connection: keep-alive
                        Cache-Cont...
    Forms             : {}
    Headers           : {[Strict-Transport-Security, max-age=31536000], [Vary, Accept-Encoding], [BOX-REQUEST-ID, 0tkinn03h2mn23gufe8r4nhg5qq], [Age, 0]...}
    Images            : {}
    InputFields       : {}
    Links             : {}
    ParsedHtml        : mshtml.HTMLDocumentClass
    RawContentLength  : 7012

    ##get list files for user with id-24901550**
    curl "https://api.box.com/2.0/folders/0/items?limit=100&offset=0" -H @{"Authorization"="Bearer /*myAccessToken*/"; "AS-User"="24901550**"}
    curl : The remote server returned an error: (403) Forbidden.
    At line:1 char:1
    + curl "https://api.box.com/2.0/folders/0/items?limit=100&offset=0" -H  ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
        + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

     

    my Java Application catch exception:

    com.box.sdk.BoxAPIException: The API returned an error code: 403
    {"type":"error","status":403,"code":"access_denied_insufficient_permissions","help_url":"http:\/\/developers.box.com\/docs\/#errors","message":"Access denied - insufficient permission","request_id":"dj3krtfpew8uiblf"}
        at com.box.sdk.BoxAPIResponse.(BoxAPIResponse.java:84)
        at com.box.sdk.BoxJSONResponse.(BoxJSONResponse.java:32)
        at com.box.sdk.BoxAPIRequest.trySend(BoxAPIRequest.java:541)
        at com.box.sdk.BoxAPIRequest.send(BoxAPIRequest.java:319)
        at com.box.sdk.BoxAPIRequest.send(BoxAPIRequest.java:294)
        at com.box.sdk.JSONIterator.loadNextPage(JSONIterator.java:74)
        at com.box.sdk.JSONIterator.loadNextJsonObject(JSONIterator.java:90)
        at com.box.sdk.JSONIterator.hasNext(JSONIterator.java:32)
        at com.box.sdk.BoxItemIterator.hasNext(BoxItemIterator.java:28)

     

    P.S. All accounts have same properties and permissions except 2factor autentication.

    P.P.S today I was update box sdk to latest 2.15.0 and problem still present

    0
    Comment actions Permalink
  • mwiller

     Thank you for the detailed report — it was really helpful to see what was going on!  I notice that the error seems to only occur when you try to use the As-User header with the Service Account.  In the Box Developer Console, have you toggled on the "Perform Actions as Users" feature?  This is necessary to use the As-User header in your application, and changing it requires you to reauthorize the application in the enterprise you're working in — the enterprise admin needs to re-approve the new permissions.  See the screenshot below for the toggle I'm talking about — it should be in the "on" position as shown:

    Screen Shot 2018-03-16 at 8.34.30 PM.png

    0
    Comment actions Permalink
  • mklinchin

     As I understand, this options are enabled for application with "OAuth 2.0 with JWT (Server Authentication)" authentication method. But for accounts with 2-factor authentication I use another app with "Standard OAuth 2.0 (User Authentication)" because I should open browser window to let user verify his second authentication.

    0
    Comment actions Permalink
  • mwiller

     I'm not sure that the two different apps with different authentication methods are really required in this scenario — your JWT app should be able to generate tokens or use As-User to act as any user, even ones with 2-factor authentication.  Since the JWT app is authenticated by a private key that is never transmitted over the Internet, and is authorized by the enterprise administrator, it should actually be significantly more secure than the user's own username and password.  If you use the JWT app to generate tokens or use As-User for the required user, does that work for you?

    0
    Comment actions Permalink
  • mklinchin

    , I try to explain, forget the two box app(in my application I just let user choose what type of authentication to use, my application or browser). This problem present when user authenticate with browser.

    So, user wants login with browser, I open browser window in my application and let user enter his credentials, pass second verification, and grant access, after that I get access code from browser and then authenticate SDK with this code, finally I get 403 error when try to use "As-User" header. But when user do the same with account without 2-factor authentication all works fine.

    0
    Comment actions Permalink
  • mwiller

     If you're using the standard OAuth2 app instead of the JWT app, the access token you get allows you to act as the user who logged in, which is going to be different than the JWT app Service Account.  The Service Account has permission to use As-User, but the user who logged in via OAuth2 by typing in their credentials might not.  If the user logged in via OAuth2, you already have an access token that authenticates as that user — you should be able to get the list of their files without using the As-User header, since with that access token you already are that user.  If you remove the As-User header when you're using the OAuth2 app, does that work for you?

    0
    Comment actions Permalink
  • mklinchin

    , I know, if remove "As-User" header it retrieve files from logged-in user. But this user is service account and I can login as other users from web, but not from my app. If you look to my post with console requests, you will see that first request is without "As-User" header, and second with this header get 403 error, account that I use is Service account and from web it works fine, and when I disable 2-factor authentication it works from app too, but when enable 2-factor authentication again, it stop working. So, in my case box java api has problem with next combination: Service account with 2-factor authentication, OAuth2 authentication type, "As-User" header. I may be wrong, but other things works fine.

    0
    Comment actions Permalink
  • mwiller

     I'm a bit confused about what exactly you're trying to do here — could you explain a little more what your setup is?  Specifically, when you say you're logging in as the Service Account through traditional OAuth2 authentication, that should not be possible.  The Service Account is tied to the JWT authentication app, and does not have a username and password to log in via the web UI.  You should be able to verify this by making a GET call to https://api.box.com/2.0/users/me when you're authenticated as the JWT app and then again when you're authenticated as the standard OAuth2 app — the login field for the JWT app should be something like "AutomationUser_@boxdevedition.com" and your OAuth2 app should give back a real email address for one of the users in your enterprise.  Can you give that a try and let me know if it comes back correctly?

    0
    Comment actions Permalink
  • mklinchin

    Oh I am very sorry, in my app I use several sdk and have little problem with terminology, however in service account I mean Admin account. Sorry for wrong terminology!

    0
    Comment actions Permalink
  • mklinchin

    , Sorry again for wrong terminology, but problem still present, Admin account with 2factor authentication get 403 error. Url from your reply return same info for both cases.

    0
    Comment actions Permalink

Please sign in to leave a comment.