Java SDK - get 403 error while try to get list files as user with "login verification" option
I use service account to connect and get list of files for several users, and all was works fine. This week I get 403 error every time when try to get list files for all users, after reserch was found, that service acount have enabled "2-step verification".
Does Box change authentication steps for 2-step verification? Can anyone help?
P.S user doesn't change enything itself, this option was enabled everytime. And app was work fine before now.
-
Shure. I have two Box co-admin account with one with 2factor autentication an other without. In debug I was get Access-token and run "curl" command. This my results
//First test for account without 2factor authentication:
##get list files for co-admin
curl "https://api.box.com/2.0/folders/0/items?limit=100&offset=0" -H @{"Authorization"="Bearer /*myAccessCode*/"}
StatusCode : 200
StatusDescription : OK
Content : {"total_count":30,"entries":[{"type":"folder","id":"4***phone number removed for privacy***","sequence_id":"0","etag":"0","name":"..boxtestfor bryan.."},{"type":"folder","id":"4***phone number removed for privacy***","sequence_id":"0","etag":"0","name":"00...
RawContent : HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
BOX-REQUEST-ID: 0f54smhsrcesrcpm7htkks8tcht
Age: 1
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Cont...
Forms : {}
Headers : {[Strict-Transport-Security, max-age=31536000], [Vary, Accept-Encoding], [BOX-REQUEST-ID, 0f54smhsrcesrcpm7htkks8tcht], [Age, 1]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 3315
##get list files for user with id-24901550**
curl "https://api.box.com/2.0/folders/0/items?limit=100&offset=0" -H @{"Authorization"="Bearer /*MyAccessToken*/"; "AS-User"="24901550**"}
StatusCode : 200
StatusDescription : OK
Content : {"total_count":6,"entries":[{"type":"folder","id":"3***phone number removed for privacy***","sequence_id":"0","etag":"0","name":"Folder 1"},{"type":"folder","id":"3***phone number removed for privacy***","sequence_id":"0","etag":"0","name":"Folder 2"},{"ty...
RawContent : HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
BOX-REQUEST-ID: 0c9482vdr3rdctht1nq4ktgsl95
Age: 0
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Cont...
Forms : {}
Headers : {[Strict-Transport-Security, max-age=31536000], [Vary, Accept-Encoding], [BOX-REQUEST-ID, 0c9482vdr3rdctht1nq4ktgsl95], [Age, 0]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 683==================================================
now same test for user with 2factor authentication
curl "https://api.box.com/2.0/folders/0/items?limit=100&offset=0" -H @{"Authorization"="Bearer /*myAccessToken*/"}
StatusCode : 200
StatusDescription : OK
Content : {"total_count":45,"entries":[{"type":"folder","id":"***number removed for privacy***38","sequence_id":"2","etag":"2","name":"01"},{"type":"folder","id":"2***phone number removed for privacy***","sequence_id":"1","etag":"1","name":"02"},{"type":"folder...
RawContent : HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
BOX-REQUEST-ID: 0tkinn03h2mn23gufe8r4nhg5qq
Age: 0
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Cont...
Forms : {}
Headers : {[Strict-Transport-Security, max-age=31536000], [Vary, Accept-Encoding], [BOX-REQUEST-ID, 0tkinn03h2mn23gufe8r4nhg5qq], [Age, 0]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 7012
##get list files for user with id-24901550**
curl "https://api.box.com/2.0/folders/0/items?limit=100&offset=0" -H @{"Authorization"="Bearer /*myAccessToken*/"; "AS-User"="24901550**"}
curl : The remote server returned an error: (403) Forbidden.
At line:1 char:1
+ curl "https://api.box.com/2.0/folders/0/items?limit=100&offset=0" -H ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommandmy Java Application catch exception:
com.box.sdk.BoxAPIException: The API returned an error code: 403
{"type":"error","status":403,"code":"access_denied_insufficient_permissions","help_url":"http:\/\/developers.box.com\/docs\/#errors","message":"Access denied - insufficient permission","request_id":"dj3krtfpew8uiblf"}
at com.box.sdk.BoxAPIResponse.(BoxAPIResponse.java:84)
at com.box.sdk.BoxJSONResponse.(BoxJSONResponse.java:32)
at com.box.sdk.BoxAPIRequest.trySend(BoxAPIRequest.java:541)
at com.box.sdk.BoxAPIRequest.send(BoxAPIRequest.java:319)
at com.box.sdk.BoxAPIRequest.send(BoxAPIRequest.java:294)
at com.box.sdk.JSONIterator.loadNextPage(JSONIterator.java:74)
at com.box.sdk.JSONIterator.loadNextJsonObject(JSONIterator.java:90)
at com.box.sdk.JSONIterator.hasNext(JSONIterator.java:32)
at com.box.sdk.BoxItemIterator.hasNext(BoxItemIterator.java:28)P.S. All accounts have same properties and permissions except 2factor autentication.
P.P.S today I was update box sdk to latest 2.15.0 and problem still present
-
Thank you for the detailed report — it was really helpful to see what was going on! I notice that the error seems to only occur when you try to use the As-User header with the Service Account. In the Box Developer Console, have you toggled on the "Perform Actions as Users" feature? This is necessary to use the As-User header in your application, and changing it requires you to reauthorize the application in the enterprise you're working in — the enterprise admin needs to re-approve the new permissions. See the screenshot below for the toggle I'm talking about — it should be in the "on" position as shown:
-
As I understand, this options are enabled for application with "OAuth 2.0 with JWT (Server Authentication)" authentication method. But for accounts with 2-factor authentication I use another app with "Standard OAuth 2.0 (User Authentication)" because I should open browser window to let user verify his second authentication.
-
I'm not sure that the two different apps with different authentication methods are really required in this scenario — your JWT app should be able to generate tokens or use As-User to act as any user, even ones with 2-factor authentication. Since the JWT app is authenticated by a private key that is never transmitted over the Internet, and is authorized by the enterprise administrator, it should actually be significantly more secure than the user's own username and password. If you use the JWT app to generate tokens or use As-User for the required user, does that work for you?
-
, I try to explain, forget the two box app(in my application I just let user choose what type of authentication to use, my application or browser). This problem present when user authenticate with browser.
So, user wants login with browser, I open browser window in my application and let user enter his credentials, pass second verification, and grant access, after that I get access code from browser and then authenticate SDK with this code, finally I get 403 error when try to use "As-User" header. But when user do the same with account without 2-factor authentication all works fine.
-
If you're using the standard OAuth2 app instead of the JWT app, the access token you get allows you to act as the user who logged in, which is going to be different than the JWT app Service Account. The Service Account has permission to use As-User, but the user who logged in via OAuth2 by typing in their credentials might not. If the user logged in via OAuth2, you already have an access token that authenticates as that user — you should be able to get the list of their files without using the As-User header, since with that access token you already are that user. If you remove the As-User header when you're using the OAuth2 app, does that work for you?
-
, I know, if remove "As-User" header it retrieve files from logged-in user. But this user is service account and I can login as other users from web, but not from my app. If you look to my post with console requests, you will see that first request is without "As-User" header, and second with this header get 403 error, account that I use is Service account and from web it works fine, and when I disable 2-factor authentication it works from app too, but when enable 2-factor authentication again, it stop working. So, in my case box java api has problem with next combination: Service account with 2-factor authentication, OAuth2 authentication type, "As-User" header. I may be wrong, but other things works fine.
-
I'm a bit confused about what exactly you're trying to do here — could you explain a little more what your setup is? Specifically, when you say you're logging in as the Service Account through traditional OAuth2 authentication, that should not be possible. The Service Account is tied to the JWT authentication app, and does not have a username and password to log in via the web UI. You should be able to verify this by making a GET call to https://api.box.com/2.0/users/me when you're authenticated as the JWT app and then again when you're authenticated as the standard OAuth2 app — the login field for the JWT app should be something like "AutomationUser_@boxdevedition.com" and your OAuth2 app should give back a real email address for one of the users in your enterprise. Can you give that a try and let me know if it comes back correctly?
Please sign in to leave a comment.
Comments
11 comments