Permanent read-only access token to preview content in a website?
We would like to embed our box videos in our websites, just as we can with Youtube or Vimeo, but Box Embed introduces a header with links, like Login and Signup buttons, which we don't want. For what I've read, I understand that the only way to get rid of that header is to use Content Preview (UI Elements) instead. Is that right?
Despite there is a working example in codepen.io, this looks quite complex to implement if you just want to embed a video, compared with other video providers. First because I need to create an "app" in the Box platform, using the Developer Console. Second because I need to generate an access token, even when we only want anonymous users to watch the video in the website.
Apparently, access tokens expire after 60 minutes, so that would force us to implement code in the backend (in our case it would be PHP), just to request that access token, for every different visit to our website. Or even more complex, we would need to retry or refresh the token every hour with a scheduled script. This seems to be too much just to embed videos, isn't it? Which makes me thing I'm missing something. Isn't really a much simple way or just preview the video publicly and nothing else?
However, I see the codepen.io source data example uses a "readonly token", and the corresponding files are public data on a demo enterprise. We want exactly the same, public data (videos) on our enterprise box to be watched. How could we implement that? I can't find a way to generate a readonly permanent token like the one in the example. That would solve our problem.
Thanks in advance for helping and makes this clearer.
-
Hi Juan
Take a look at the 'Limited access app' or 'Box View' as it is also called. This might be what you need
https://developer.box.com/guides/applications/limited-access-apps/
https://developer.box.com/guides/embed/box-view/
It uses 'app-tokens' https://developer.box.com/guides/authentication/app-token/ which can be given a long (infinite) lifetime but are restricted in terms of what API endpoints can be used (preview and download are supported)
-
Thanks Peter,
I had read about that, but couldn't get to a good solution. I'll explain why:
I have a HTML sample file, implementing a Box.Preview() with JavaScript, that works well with a Custom App. I mean, I have a sample video file in my Box account, so I use that video file ID, and the developer access token from my Custom App, to make the preview.show() call, and it works in the Browser, I get to see the video in the container element in the page.
So now I try with Limited Access App, same video file ID, using the Primary Access Token generated key in the the Configuration tab. Go to the browser but the video doesn't display, I get a 404 (not found) response. I even downscoped the Primary Access Token using curl, and tried with the long access token I got (which expires in 3628, so this really wouldn't serve the purpose of our implementation), but I get 404 again.
So I wonder if there is something else I'm missing. How is possible that my file from Box is found with the Custom App developer token and not found with the Limited Access App token?
I've read that there is a special way through an API call to uploads files with a Limited Access App, using the App Client ID, but I'm assuming this is a more specific way to do this for certain kind of implementations, not the only way to work. Otherwise, I wonder if it wouldn't be possible to use a Limited Access App token to preview files uploaded by users in an Enterprise Box account with the purpose of being publicly shared, as I can preview with a Custom App.
I guess there is a piece of this complex puzzle I'm missing, but which one? -
yes, the app token is only available for the service account persona that is created as part of your limited access app. You can find this service account login in the 'General settings' tab of your app. Should be something like 'AutomationUser_123345_abcdef@boxdevedition.com'. If you add this user as a collaborator on the videos you need the preview for it should work. Just copy the ID and paste into the 'Share' dialog for the folder where your videos are
The reason your file is found with your developer token is that this token is issued to your Box user, whereas the app token is issued to the service account.
Rgds
Peter
-
Thank you so much Peter! That was the missing piece, now I can see the video using the Primary Access Token, and also with a down-scoped token.
So the only pending problem is that using that Primary Access Token use is discouraged for a website JavaScript call, which could be read by anyone.This is a highly privileged token, and we strongly recommend that you do not send it to an end-user client.
So I've read the solution is a down-scoped token, but the only way I've found to get it is with cURL as in https://developer.box.com/guides/authentication/tokens/downscope/ documentation page. The problem is that this token expires very soon, and for the website we need a non expiring token. How could we get that? Is there any way to retrieve a non-expiring down-scoped token?
Thanks in advance
-
Thanks Peter, any news about this? I think this is very important, because without a non-expiring downscoped token, and the primary access key not being secure for a website, there is no way to just embed permanently a video, and just the video, in a website like we can normally with providers such as Vimeo or Youtube. We would have to store our videos in a different provider just for this.
Post is closed for comments.
Comments
7 comments