[.NET] Service Account with Editor Permissions Getting Insufficient Scope Error
Answered
I am using the Box V2.Core SDK to upload files through the API. I can successfully authenticate using JWT and read folder information as the service account, but when I attempt to upload a file I get the following error:
"Bearer realm="Service", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token.""
The Service Account is listed as a collaborator with editor permissions on the folder that I'm trying to upload to (my account is the middle co-owner and the service account is the bottom):
Here is an example of my code that is producing this error:
var configFilePath = Path.Combine(Directory.GetCurrentDirectory(), "boxconfig.json");
IBoxConfig boxConfig;
await using (var stream = File.OpenRead(configFilePath))
boxConfig = BoxConfig.CreateFromJsonFile(stream);
var auth = new BoxJWTAuth(boxConfig);
var token = auth.AdminToken();
var client = auth.AdminClient(token);
var request = new BoxFileRequest
{
Name = "test.jpg",
Parent = new BoxRequestEntity { Id = <myFolderId> },
};
// this source of a byte[] is just an example
var bytes = await File.ReadAllBytesAsync(<myFilePath>);
await using var stream = new MemoryStream(file);
// this line throws the insufficient_scope error
await client.FilesManager.UploadAsync(request, stream);
What am I missing? Shouldn't my service account have permission to perform this action?
-
Official comment
Hi Daren,
Happy to try to help.
Can I have the client id associated with the application you're having issues with?
Thanks,
Alex, Box Developer Advocate
Comment actions -
Hi Alex,
Thank you for following up. I was actually able to solve the problem by re-creating the app and re-inviting the new Service Account, though I'm not sure what was preventing it from working correctly originally. For any future readers, here are all of the steps I had to follow to allow my Service Account to upload to an existing Enterprise folder:
- In the developer console, create a new Custom App and select JWT Auth as the method of authentication.
- In the app's Configuration tab, set App Access Level to "App + Enterprise Access"
- Select any other Actions the app will need to perform under Application Scopes (everything I needed was already selected after changing the above)
- Under "Add and Manage Public Keys", generate a new key pair and download the JSON configuration file
- Request authorization from enterprise admin to generate a Service Account
- Once authorized, copy the Service Account's generated email address as listed under "Service Account Info" in the General Settings tab
- Navigate back to the target folder / box location and Manage Collaborators. Invite the Service Account to collaborate with at least Editor-level permissions.
After doing all of the above, I was able to authenticate successfully and upload a file to my target folder. My guess is that my initial app was unintentionally created as a Limited Access App, so even though it was explicitly listed as a Collaborator before, the overall app permission wasn't enough to permit the upload. A total guess, but either way the above steps should work for anyone in a similar position.
Please sign in to leave a comment.
Comments
3 comments