Join BoxWorks in San Francisco Nov 12-13! Keynotes, product demos, and Box Master Classes. Reserve your spot!

Permanent read-only access token to preview content in a website?

New post

Comments

7 comments

  • Peter Christensen

    Hi Juan

    Take a look at the 'Limited access app' or 'Box View' as it is also called. This might be what you need

    https://developer.box.com/guides/applications/limited-access-apps/

    https://developer.box.com/guides/embed/box-view/

    It uses 'app-tokens' https://developer.box.com/guides/authentication/app-token/ which can be given a long (infinite) lifetime but are restricted in terms of what API endpoints can be used (preview and download are supported)

    0
    Comment actions Permalink
  • Juan Olalla

    Thanks Peter,

    I had read about that, but couldn't get to a good solution. I'll explain why:

    I have a HTML sample file, implementing a Box.Preview() with JavaScript, that works well with a Custom App. I mean, I have a sample video file in my Box account, so I use that video file ID, and the developer access token from my Custom App, to make the preview.show() call, and it works in the Browser, I get to see the video in the container element in the page.

    So now I try with Limited Access App, same video file ID, using the Primary Access Token generated key in the the Configuration tab. Go to the browser but the video doesn't display, I get a 404 (not found) response. I even downscoped the Primary Access Token using curl, and tried with the long access token I got (which expires in 3628, so this really wouldn't serve the purpose of our implementation), but I get 404 again.

    So I wonder if there is something else I'm missing. How is possible that my file from Box is found with the Custom App developer token and not found with the Limited Access App token?

    I've read that there is a special way through an API call to uploads files with a Limited Access App, using the App Client ID, but I'm assuming this is a more specific way to do this for certain kind of implementations, not the only way to work. Otherwise, I wonder if it wouldn't be possible to use a Limited Access App token to preview files uploaded by users in an Enterprise Box account with the purpose of being publicly shared, as I can preview with a Custom App.

    I guess there is a piece of this complex puzzle I'm missing, but which one?

    0
    Comment actions Permalink
  • Peter Christensen

    yes, the app token is only available for the service account persona that is created as part of your limited access app. You can find this service account login in the 'General settings' tab of your app. Should be something like 'AutomationUser_123345_abcdef@boxdevedition.com'. If you add this user as a collaborator on the videos you need the preview for it should work. Just copy the ID and paste into the 'Share' dialog for the folder where your videos are

    The reason your file is found with your developer token is that this token is issued to your Box user, whereas the app token is issued to the service account.

    Rgds

    Peter

    0
    Comment actions Permalink
  • Juan Olalla

    Thank you so much Peter! That was the missing piece, now I can see the video using the Primary Access Token, and also with a down-scoped token.

    So the only pending problem is that using that Primary Access Token use is discouraged for a website JavaScript call, which could be read by anyone.

    This is a highly privileged token, and we strongly recommend that you do not send it to an end-user client.

    So I've read the solution is a down-scoped token, but the only way I've found to get it is with cURL as in https://developer.box.com/guides/authentication/tokens/downscope/ documentation page. The problem is that this token expires very soon, and for the website we need a non expiring token. How could we get that? Is there any way to retrieve a non-expiring down-scoped token?

    Thanks in advance

    0
    Comment actions Permalink
  • Peter Christensen

    Glad you got it working. With regards to a non-expiring downscoped token, I don't think this is possible currently, but I will check and get back to you

    0
    Comment actions Permalink
  • Juan Olalla

    Thanks Peter, any news about this? I think this is very important, because without a non-expiring downscoped token, and the primary access key not being secure for a website, there is no way to just embed permanently a video, and just the video, in a website like we can normally with providers such as Vimeo or Youtube. We would have to store our videos in a different provider just for this.

    0
    Comment actions Permalink
  • Peter Christensen

    Hi Juan, there is currently no way of getting a non-expiring downscoped token regardless of token source. The only non-expiring token is the one that is generated as part of the limited access app.

    Best regards, Peter

    0
    Comment actions Permalink

Post is closed for comments.