Getting last login for all users using Python API

New post

Comments

8 comments

  • Chris Dascalos

    Hey Naima Personal,

    Is your organization using SSO for authentication at all? If so, this may impact your ability to determine "last login" since the user would not be required to "login" again they would request an updated access token and this might correspond with some other event happening like a Box Sync account refreshing a token or something along these lines. I am speculating and have not done enough research to speak confidently on this, just want to call it out as a possible false positive.

    However, the specific API that you are looking for here to assist in your search is the List User and Enterprise Events API.

    [https://developer.box.com/reference/get-events/]

    There are MANY event types and you can read about them at the below URL.

    [https://developer.box.com/reference/resources/event/]

    Maybe a token being generated (logging in) would be what you are looking to monitor for, and if so, then you could use the `USER_AUTHENTICATE_OAUTH2_ACCESS_TOKEN_CREATE` event. I might suggest something more meaningful though for the reason above and suggest looking for something like `ITEM_CREATE` or others to better determine whether or not the user is actually active in the system. This is dependent on your use case.

    When you are interacting with the API, you may want to ask for information for the entire enterprise, or create a User Access Token for a specific user. You can do this with the below header when making a request for an Access Token.

    [https://developer.box.com/guides/authentication/jwt/as-user/]

    Pair this with the List Enterprise Users API and you would be able to capture the information you are looking for and more.

    [https://developer.box.com/reference/get-users/]

    Hopefully this helps and happy coding!

    0
    Comment actions Permalink
  • Naima Personal

    Thank you so much, Mr. Chris Dascalos. These information are very helpful. 

    I will be going through all your recommendations. I believe I will need some follow-up help. I would really appreciate, if you could keep following this post for next 2 or 3 days(of course if your time permits).

    Thank you!  

    0
    Comment actions Permalink
  • Chris Dascalos

    Hey Naima Personal,

    No problem at all! I have my email notifications turned on for the thread so I will do what I can to respond if you have any additional questions or looking for clarification.

    Happy Coding!

    0
    Comment actions Permalink
  • Naima Personal

    Thank you so much! Appreciate it!

    0
    Comment actions Permalink
  • Naima Personal

    Hi Mr. Chris Dascalos, 

    Thank you for providing helpful links. Now, I'm able to get all the users that didn't login for last one year. That's what we wanted to get. However, you have mentioned about SSO. Our organization use SSO; and requires to login again after 24 hours. My question is, if user login via SSO, wouldn't it be recorded as LOGIN event? 

    One more thing, we don't want to hard code created_after parameter.

    "2012-12-12T10:53:43-08:00"

    So, here it represent year, month, day, hour, minute, second, but I'm not sure what does 08:00 mean. Could you please help me to understand this?

    Your help will be sincerely appreciated!

    0
    Comment actions Permalink
  • Chris Dascalos

    Hey Naima Personal,

    Single Sign On is an interesting one. I still have not played around with it enough to know for sure, but I will do my best to hypothesize. For the sake of conversation I am going to assume we are talking about Azure AD.

    When you "authenticate" with Microsoft, Microsoft is also acting as the Identity Provider (where your digital identity itself lives). Microsoft then gives your computer a token for use with services that you have "authorizations" for. Box could be one of those things. The token Microsoft gives you is NOT what Box uses. When you login to Box, Box is using an OAuth connection to Microsoft to ensure that you can prove your identity, and then Box issues you another token. The token that Microsoft and Box give you are different and both have different levels of "authorization" specific to the services they manage.

    You can be reasonably sure that this is the case by opening a private browser window (Google Chrome is not Private) and in our example navigating to a Microsoft Service and logging in. You will then be able to access Microsoft services with your identity successfully. However, as soon as you go to Box in that same private browser window, you will be asked to login AGAIN. This is because the services do not share authorizations, only authentication.

    Here is where the true limitation of my knowledge is. If you have Box Sync installed on a computer, it is refreshing its token all of the time to ensure that it can stay synced. I do not know if this counts as a unique login event for the user or if because the user is only forced to authenticate once and then refresh tokens are provided if that means a login event is not recorded. This is where clarification from someone on Box would be helpful, but I am going to go out on a limb / branch and say that I wouldn't imagine those events are logged.

    With all of that being said, logging in via Microsoft itself would not be captured as a login event within Box. Only when the user authenticates through Microsoft to get a Box token with authorizations would the login show up in the event stream.

    On to time, time is one of the most complicated things to adjust and account for. In the example that you provided, that is following an implementation of the ISO 8601 standard where the "-08:00" is an indication of the time zone in which the event occurred. In this case the "-08:00" indicates that the event happened in the Pacific Time Zone which is 8 hours behind the UTC standard which is the GMT time zone.

    [https://www.iso.org/iso-8601-date-and-time-format.html]

    [https://en.wikipedia.org/wiki/List_of_UTC_offsets#UTC%E2%88%9208:00,_U]

    Lots of information in here, but hopefully this helps in some way!

    Happy Coding!

    0
    Comment actions Permalink
  • Naima Personal

    Thank you so much, Mr. Chris Dascalos for taking out some of your valuable time and providing information in details.

    I have been learning a lot from your provided information. I sincerely appreciate all you help!

    Thank you!

    0
    Comment actions Permalink
  • Chris Dascalos

    Hey Naima Personal,

    No problem at all! Happy to help!

    Hopefully this has helped solve a problem and happy coding!

    1
    Comment actions Permalink

Post is closed for comments.