Welcome to the new Box Support website. Check out all the details here on what’s changed.

Box Status

Server Authentication usage

Answered
Follow
New post
Steve DeBusschere

My app will be used by other Box customers to access their files. I am testing the custom app authentication options that will allow my app to access every user's files within an enterprise account. I created a "Server Authentication (Client Credentials Consent)" app registration and consented to the app from two different Box accounts (e.g. "A" and "B"). I found that it is possible for account "A" to access the files in account "B" by specifying the enterprise ID for account "B". Is there no way to use the same app registration for multiple Box accounts? What is the recommended practice to build a "multi-tenant" application?

0

Comments

2 comments

Date Votes
  • Official comment
    Kourtney

    Hey Steve, 

    When you create a grant using client credentials grant, a service account user is created as soon as the app is authorized in the Admin Console. When you specify the enterprise ID in the grant, you'll obtain an access token for this user by default. A service account will be created for the app in each EID the app is authorized in. You will not be able to access content in a non-managed user's account (aka a user in another enterprise). 

    Hope that helps, but let me know if you have any questions! 

    Best,

    Kourtney, Box Developer Advocate

    Comment actions Permalink
  • Steve DeBusschere

    Kourtney,

    If you change the enterprise ID to another Box account that has also authorized the app, you can see their content without knowing their login credentials. We tested this and was surprised that it was true.

    Steve

     

    0
    Comment actions Permalink

Please sign in to leave a comment.