Restricting JWT App to Certain Folders
Answered
Hello everyone.
I'm developing a Box app, authenticated using JWT, that will need to be restricted to certain folders created by other federated users within our enterprise. When selecting the application scopes, I view that it has: "read/write all folders" and "read all folders". Does this mean that it has access to all user-created files and folders, or that it only has access to read/write all files and folders that it created?
I understand that a service account is created with the box app, so, to restrict access, are we only required to add the service account as a collaborator to specific folders? Or, do read/write all folders mean I must pursue something further such as downscoping to achieve the goal that I want?
For example:
scopes = ['base_upload', 'item_delete']
folder_ids = ['***phone number removed for privacy***', '***number removed for privacy***41']
for id in folder_ids:
resource = client.folder(folder_id=id)
client.downscope_token(scopes, item=resource)Also, if I must downscope, is that the proper scopes to allow for my application to upload content and delete items within those parent folders and subfolders? Or, is this step not necessary since I must add the app as a collaborator anyways in order for it to access those folders?
Any clarification would be greatly appreciated!
-
downscoping is useful for many reasons, but it's mainly used by our Box UI Elements and Box Skills products. In Box UI Elements the access token is shared with a frontend UI, so restricting it to some exact permissions and a specific file/folder is essential, as the token is shared with anyone who can see the UI.
-
Some more info on Box UI Elements: https://developer.box.com/docs/box-ui-elements
Please sign in to leave a comment.
Comments
5 comments