Welcome to the new Box Support website. Check out all the details here on what’s changed.

JWT access token is not working to load root folder of Box

Answered
New post

Comments

3 comments

  • Official comment
    Alex Novotny

    Hi Justin, 

    I assume you are talking about this repo on Github. 

    I just tried downloading and using the code for the node sample. It worked for me. Did you make any changes to the code? Can you share the error you are seeing? 

    Thanks, 

    Alex, Box Developer Advocate

    Comment actions Permalink
  • Justin Beyers

    Thanks for your response.

    I can generate access_token with node sample of  this repo which you said.

    I am using Firebase function to make backend api as the following;

    const functions = require("firebase-functions");
    const express = require('express');
    const app = express();

    const admin = require('firebase-admin');
    admin.initializeApp();

    const fs = require('fs')
    const crypto = require('crypto')
    const jwt = require('jsonwebtoken')
    const axios = require('axios')
    const querystring = require('querystring');

    const config = JSON.parse(
    fs.readFileSync('config.json')
    )

    function apiResponseData(bResult, msg, errType) {
    constrepData = {
    'status':bResult,
    'result':msg,
    'errorType':errType
    };

    returnrepData;
    }

    // Get Access Token of Box
    app.get('/boxToken', async (req, res) => {
    letkey = {
    key:config.boxAppSettings.appAuth.privateKey,
    passphrase:config.boxAppSettings.appAuth.passphrase
    }
    console.log('config', config)
    // We will need the authenticationUrl again later,
    // so it is handy to define here
    constauthenticationUrl = 'https://api.box.com/oauth2/token'
    try {
    letclaims = {
    'iss':config.boxAppSettings.clientID,
    'sub':config.enterpriseID,
    'box_sub_type':'enterprise',
    'aud':authenticationUrl,
    // This is an identifier that helps protect against
    // replay attacks
    'jti':crypto.randomBytes(64).toString('hex'),
    // We give the assertion a lifetime of 60 seconds
    // before it expires
    'exp':Math.floor(Date.now() / 1000) + 60
    }
     
    letkeyId = config.boxAppSettings.appAuth.publicKeyID
     
    // Rather than constructing the JWT assertion manually, we are
    // using the jsonwebtoken library.
    letassertion = jwt.sign(claims, key, {
    // The API support "RS256", "RS384", and "RS512" encryption
    'algorithm':'RS512',
    'keyid':keyId,
    })
    console.log('assertion: ', assertion)
    // We are using the excellent axios package
    // to simplify the API call
    letaccessToken = awaitaxios.post(
    authenticationUrl,
    querystring.stringify({
    // This specifies that we are using a JWT assertion
    // to authenticate
    grant_type:'urn:ietf:params:oauth:grant-type:jwt-bearer',
    // Our JWT assertion
    assertion:assertion,
    // The OAuth 2 client ID and secret
    client_id:config.boxAppSettings.clientID,
    client_secret:config.boxAppSettings.clientSecret
    })
    )
    // Extract the access token from the API response
    .then(response => response.data.access_token)
     
    returnres.status(200).json(apiResponseData(true, accessToken, 0));
    } catch(error) {
    console.log('Error get /getToken = ', error.message);
    returnres.status(500).json(apiResponseData(false, error.message, 4));
    }

    });

    exports.widgets = functions.https.onRequest(app);

    So I can get access_token with that api.

    my api endpoint:

    GET: https://us-central1-uvceed-ab506.cloudfunctions.net/widgets/boxToken

    so I tried to load root folder with access_token(result) coming from api.

    Box API to load root foloer

    https://api.box.com/2.0/folders/0/items?fields=modified_at,name,extension&usemarker=true

    but If I use developer_token, I can see my items in root folder.

    So I am guessing my account configuration is wrong. could you check? I shared client_id, client_secret, user_id, etc above.

    Here is config.json

    {

      "boxAppSettings": {

        "clientID": "2xbr8cf7p0xyu7n4xzc5qu0nv2sr6xor",

        "clientSecret": REDACTED,

        "appAuth": {

          "publicKeyID": REDACTED,

          "privateKey": REDACTED,

          "passphrase": REDACTED

        }

      },

      "enterpriseID": "843092337"

    }

    when I log assertion, It looks like it's getting well. 

    Thanks

     

     

     

    0
    Comment actions Permalink
  • Alex Novotny

    Thanks for the additional information. 

    This is happening, because the developer token is tied to the user account that requested the token, in this case info@uvceed.com.

    When you used the node token generator, it is creating a token that is tied to the service account of the application you created. They are different users, and as such, have different content. You aren't getting results, because the service account doesn't own anything. 

    You can read more about the service account user type here

    Hope this helps. 

    0
    Comment actions Permalink

Please sign in to leave a comment.