Level up your Box knowledge with brand new learning paths on Box University. Visit training.box.com to get started

Box Status

Unexpected access token restrictions

Follow
New post
Olov Wikberg

Hi,

Context

I am developing a custom app (client_id: 8zymxbbyb908n7nmhntdchh3nwi7u3o5), which is supposed to open a file for commenting etc, only using the box API. The service itself, including the oauth2 flow, is setup and seems to work properly.

Problem

When testing the app through typing this URL:

https://account.box.com/api/oauth2/authorize?response_type=code&client_id=8zymxbbyb908n7nmhntdchh3nwi7u3o5

box is prompting for a lot of permissions – see picture 1 – and everything seems to work well. The access token JSON returned has no attached restricted_to info.

Picture 1

However, when testing the app through right-clicking a file in box.com, Box only asks for "Read from file my file.mp4" permission, see picture 2.

Picture 2

This results in an access token with this attached object:

"restricted_to": [
    {
        "scope": "item_read",
        "object": {
            "type": "file",
            "id": "815440821742",
            "file_version": {
                "type": "file_version",
                "id": "873148946542",
                "sha1": "2c585f32ecd2c08c3f8541901d49ed9893cc8f17"
            },
            "sequence_id": "1",
            "etag": "1",
            "sha1": "2c585f32ecd2c08c3f8541901d49ed9893cc8f17",
            "name": "my file.mp4"
        }
    }
]

causing a 404 when asking to read the file's /tasks. /comments works for some reason.

Interestingly, the scope "item_read" is not listed as one of the possible scopes in the API docs: https://developer.box.com/reference/resources/access-token/#param-restricted_to-scope


My guess is that these two different ways to start the app gives different scoped access tokens.

My question is how to give my app a token that allows reading and writing comments and tasks, when launching by right-click and the Integrations menu.

I also attach some screenshots of app settings and integration settings (pictures 3 to 6).

Any help or clue is welcome!

Best regards,

Olov

Picture 3

Picture 4

Picture 5

Picture 6

0

Comments

2 comments

Date Votes
  • Olov Wikberg
    • Edited

    One thing I discovered is that if I remove the #auth_code# query parameter in the integration (picture 1) and makes the frontend app redirect to this URL when missing an auth_code:

    https://account.box.com/api/oauth2/authorize?response_type=code&client_id=${clientId}&redirect_uri=https://box.mydomain.dev

    the user will be asked to give more privileges to the app and a new code will be sent received by the frontend app, hence getting /tasks will work. However this means that the user will be prompted about app access two times (picture 2 and picture 3), which seems wrong.

    So, the question remains for me; how do we get box to ask for enough permissions when right-clicking a file and open in our integration!

    Thanks in advance :)

    Olov

    Picture 1

    Picture 2

    Picture 3

    0
    Comment actions Permalink
  • Olov Wikberg

    Hi again! Anyone having a clue about this? Any input is welcome :)

    0
    Comment actions Permalink

Please sign in to leave a comment.