Connect to my own Box account via Python SDK

Answered

New post

November 01, 2020 16:56
Edited

My team and I share a Box instance at the office, which we do not administer. We all use our browser to upload and download files to and from this instance.

We want to do the same using the SDK (in our case Python) so that we can automate actions with Box and treat it like a general shared filesystem for our scripts.

I set up my own free Box account. I wrote the code to connect via JWT, and was able to upload and download, but then I realized that's for a special app, not the general Box account I set up.

I see the instructions for OAuth2, which includes a step where the user grants access to Box via browser. For automation that won't work, unless that grant is just a one-time thing that then stays in place indefinitely.

I can see in the page that requests the grant this code:

" name="__login" value="1"><input type="hidden"
name="redirect_url" value="/api/oauth2/authorize?
state=box_csrf_token_UWrA4Neo2kzUvoYg&amp;
response_type=code&amp;
client_id=ogdx613sjyag1daqg6fejegs12hyhqo9&amp;
redirect_uri=https%3A%2F%2Fapp.box.com">
<input type="hidden"
name="request_token" value="e8b74bfb3f74e7192705acb5k315170d2cf6f019e3bd060bc16d3634b1a32c9b">
<input type="hidden" id="_pw_sql" name="_pw_sql" value=""/>

The instructions at https://developer.box.com/guides/authentication/oauth2/with-sdk/ say something about a short-lived code that can be used to generate an access token. Is the value for request_token (e8b74bfb3f74e7192705acb5k315170d2cf6f019e3bd060bc16d3634b1a32c9b) this short-lived code?

If yes, the documentation then says:

oauth.authenticate('[CODE]')
client = Client(oauth)

But it does not define oauth. What is that?

Comments

6 comments

Official comment
Kourtney

November 02, 2020 16:51
Hello Jason,

Since you said you're trying to write scripts for automate tasks, you will want to use JWT authentication, which does not require end-user interaction.

Could you clarify what you meant when you said, "I wrote the code to connect via JWT, and was able to upload and download, but then I realized that's for a special app, not the general Box account I set up." ?

It sounds like you may have been using the default token for a JWT app, which is the JWT service account

If you set your apps application access to "enterprise" you can obtain a token for a regular Box user account. To do this, you'll want to ensure that the following values are set in your JWT assertion:

box_sub_type = user

sub = userID of the user you want a token for

Best,

Kourtney
Comment actions Permalink

Jason Friedman

November 04, 2020 03:17
Edited

Hello Kourtney,

What I meant by "I wrote the code to connect via JWT, and was able to upload and download, but then I realized that's for a special app, not the general Box account I set up" is that the files I upload via the JWT service account were only visible when logged in via the JWT service account (via my Python script). They were not visible from a browser pointed at https://app.box.com/folder/0 when logged in as my user js******08@gmail.com

So, following your instructions above I have this code:

authentication_url = 'https://api.box.com/oauth2/token'
user_id = "js*****08@gmail.com"

config_file = pathlib.Path.home() / "config.json"
config = json.load(open(config_file))
appAuth = config["boxAppSettings"]["appAuth"]
privateKey = appAuth["privateKey"]
passphrase = appAuth["passphrase"]

key = load_pem_private_key(
data=privateKey.encode('utf8'),
password=passphrase.encode('utf8'),
backend=default_backend(),
)

claims = {
'iss': config['boxAppSettings']['clientID'],
'sub': user_id,
'box_sub_type': 'user',
'aud': authentication_url,
'jti': secrets.token_hex(64),
'exp': round(time.time()) + 45
}

keyId = config['boxAppSettings']['appAuth']['publicKeyID']
assertion = jwt.encode(
claims,
key,
algorithm='RS512',
headers={
'kid': keyId
}
)

params = {
'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
'assertion': assertion,
'client_id': config['boxAppSettings']['clientID'],
'client_secret': config['boxAppSettings']['clientSecret']
}

response = requests.post(authentication_url, params)
print(response.status_code)
print(response.text)

which yields:

400
{"error":"invalid_request","error_description":"Cannot obtain token based on the enterprise configuration for your app"}

In my app configuration I have checked "OAuth 2.0 with JSON Web Tokens" for Authentication Method, "Enterprise" for Application Access, enabled all Application Scopes, and enabled all Advanced Features.

And, just to be clear, my user_id is my email address (js*****08@gmail.com) I use when logging in via a browser?

Kourtney

November 04, 2020 17:05
Hey Jason,

Your user_id is actually going to be a unique numeric value that is assigned to each Box account. An easy way to obtain this is using the get current user endpoint, but to make this really easy for you yours is 14239712463. Let me know if you still encounter errors after changing the email address in your code to the user ID number!

Best,

Kourtney
0

Comment actions Permalink

Jason Friedman

November 05, 2020 02:14

Thank you for sticking with me, Kourtney. The snippet of my code that is changed:

claims = {
'iss': config['boxAppSettings']['clientID'],
'sub': "14239712463",
'box_sub_type': 'user',
'aud': authentication_url,
'jti': secrets.token_hex(64),
'exp': round(time.time()) + 45
}

And the same result:

400
{"error":"invalid_request","error_description":"Cannot obtain token based on the enterprise configuration for your app"}

Kourtney

November 05, 2020 16:12
No worries, Jason! We'll get you there. Can you try reauthorize your application in the admin console? If you still receive an error could you provide me with your client ID (aka API key) so I can pull some backend logs?

Best,

Kourtney
0

Comment actions Permalink

Jason Friedman

November 07, 2020 00:02

That did it! Thank you, Kourtney.

Three things ... first, resubmitting did not generate a new approval email, but I searched through my old email for the original one and clicked the link in that email

Second, here's my working code for the next gal/guy who needs this:

import cryptography
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.serialization import load_pem_private_key
import io
import json
import os
import pathlib
import time
import secrets
import boxsdk
import requests
import jwt

authentication_url = 'https://api.box.com/oauth2/token'
account_id = "00000000000" # set to your account_id
config_file = pathlib.Path.home() / "config.json"

config = json.load(open(config_file))

appAuth = config["boxAppSettings"]["appAuth"]
privateKey = appAuth["privateKey"]
passphrase = appAuth["passphrase"]

# https://cryptography.io/en/latest/
key = load_pem_private_key(
data=privateKey.encode('utf8'),
password=passphrase.encode('utf8'),
backend=default_backend(),
)

claims = {
'iss': config['boxAppSettings']['clientID'],
'sub': account_id
'box_sub_type': 'user',
'aud': authentication_url,
'jti': secrets.token_hex(64),
'exp': round(time.time()) + 45
}

keyId = config['boxAppSettings']['appAuth']['publicKeyID']

assertion = jwt.encode(
claims,
key,
algorithm='RS512',
headers={
'kid': keyId
}
)

params = {
'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
'assertion': assertion,
'client_id': config['boxAppSettings']['clientID'],
'client_secret': config['boxAppSettings']['clientSecret']
}
response = requests.post(authentication_url, params)
access_token = response.json()['access_token']

auth = boxsdk.OAuth2(
client_id=config['boxAppSettings']['clientID'], 
client_secret='', 
access_token=access_token
)
client = boxsdk.Client(auth)

root_folder = client.folder('0')
for item in root_folder.get_items():
my_file = client.file(file_id=item.id)
print(my_file)

Third, these are screenshots of my app configuration:

Note that "account_id" above is actually User ID below.

Please sign in to leave a comment.