How do "refresh_tokens" and App Users work together?

Hello,

I'm integrating Box into our standalone rails Portal Web App using the Boxr SDK.

I can successfully get the SSL set up, and then get either an enterprise_token or a user_token depending on the request sent.

However, Boxr explicitly discusses the use of refresh tokens in two explicit ways: (scheduled refresh and automatic refresh):

"The next way is to use an access token retrieved after going through the OAuth2 process. If your application is going to handle refreshing the tokens in a scheduled way (more on this later) then this is the way to go.

client = Boxr::Client.new('v2eAXqhZ28WIEpIWeAJcmyamLLt77icP')  #a valid OAuth2 access token

# Boxr will raise an error if this token becomes invalid. It is up to your application to generate
# a new pair of access and refresh tokens in a timely manner.

If you want Boxr to automatically refresh the tokens once the access token becomes invalid you can supply a refresh token, along with your client_id and client_secret, and a block that will get invoked when the refresh occurs.

token_refresh_callback = lambda {|access, refresh, identifier| some_method_that_saves_them(access, refresh)}
client = Boxr::Client.new('zX3UjFwNerOy5PSWc2WI8aJgMHtAjs8T',
                          refresh_token: 'dvfzfCQoIcRi7r4Yeuar7mZnaghGWexXlX89sBaRy1hS9e5wFroVVOEM6bs0DwPQ',
                          client_id: 'kplh54vfeagt6jmi4kddg4xdswwvrw8y',
                          client_secret: 'sOsm9ZZ8L8svwrn9FsdulLQVwDizKueU',
                          &token_refresh_callback)

# By default Boxr will look for client_id and client_secret in your environment variables as
# BOX_CLIENT_ID and BOX_CLIENT_SECRET, respectively.  You can omit the two optional parameters above
# if those are present.

# You can provide another parameter called as_user. Read about what that means here: https://developers.box.com/docs/#users-as-user

# You can provide yet another parameter called identifier. This can be used, for example, to
# hold the id of the user associated with this Boxr client.  When the callback is invoked this value

I can't find any way to get a refresh token, either when using Boxr::get_enterprise_token or Boxr::get_user_token.

The documentation around the use of the refresh token with the SDK's seems incomplete. Can you please point me in the right direction?

alexmlee

2016年06月20日 15:32

Looks like App Users use the JWT authentication, which doesn't use refresh tokens

Murtza

2016年06月20日 16:16

You are correct. App Users use JWT authentication. Our OAuth 2 authentication model uses the refresh token and is designed to be used with Managed Users

This blog post might be helpful for your use case. It sounds like you have already figured out this step, but for other viewers of this thread Step 3 in the blog post shows how to generate an access token with JWT authentication using the Boxr gem. Step 5 in the blog post shows how to generate an embeddable preview link for file using the access token generated in Step 3.

コメント