Is service account user more prone to throttling?
Hi dear Box Team!
We are trying to add a Box integration to our custom application and we have some questions in order to choose the authentication method for our application.
1. JWT and Client Credential Grant options use special "Service account" to access the content of the Enterprises. Does it mean that if multiple Enterprises will use our app at the same time, a lot of traffic will start to go through this user and our app will become more prone to throttling? Does the rate limit differ between service account vs regular admin/co-admin account?
2. If multiple Enterprises will authorize our app, will it mean that any of those Enterprises can see the data of the other by just knowing the Enterprise ID of the other and passing the same secret data (client id + client secret for example)? Isn't it a security concern?
3. In case we will choose OAuth 2.0 authentication method with the browser view, will it work only for the Enterprise's primary admin account to interact with files/folders for all Enterprise users (using "asUser" header)? Can co-admins also upload files to all user accounts in the Enterprise?
-
I created another issue to bring visibility back to the issue you are reading. It is here:
-
Hey Vahe,
1. Each enterprise that authorizes an application has a separate service account generated that is unique for that enterprise. That account only has access into any content it may own and only the enterprise that authorized the application. With regards to rate limiting, each one of those service accounts will be under a separate rate limit that defers to our standard rate limiting policies, there is not a special rate limit for service accounts.
2. In both authentication options, there is a portion that should never be exposed to the customers. For JWT that is your key pair, for client credentials grant that is your client secret. In both cases the admins would authorize the application by using the client id, but the token generation process should never take place in a manner where either your client secret or the key pair is exposed to the end users.
3. The main admin of the enterprise by default has the ability to utilize the As-User header when using a token generated from their account. For Co-Admins that would want to do utilize that header they would first need to be granted the correct Co-Admin permissions. "Log in to users' accounts" would be the minimum required permission to utilize the As-User header, but depending on what actions you want to perform you will likely need other co-admin permissions as well.
Post is closed for comments.
Comments
3 comments