File and Folder permissions using client side upload & app users
We have successfully proved out an implementation to support client side uploads via the Box ContentUploader. Users of our application do not have their own Box.com accounts.
For the initial proof of concept we just used our Box application's Developer Token.
With the POC checking out, we've now moved toward the OAuth with JWT model using App Users as described in Create Your First App User. Per the docs, we should not use Service Accounts to make client-side requests. Instead we generate an access token scoped to an App User. This is working great!
My question: Should we create an App User for each of our users uploading files? We believe this may be the case, since we do not want the App User Access Token to provide even read access for other's folders. Can we scope the access token to ONLY upload–never read?
-
Hi ,
Great question! Glad to hear the process is going well so far!
You sure can restrict those access tokens! Here's how:
https://developer.box.com/reference#token-exchange
https://developer.box.com/v2.0/docs/box-content-uploader#section-scopes
TL;DR you can downscope a token to have specific scopes - for the Content Uploader, it has its own scope called base_upload that you can use.
Generally, you'll want create a 1:1 mapping of your application's users to an app user on Box, so as long as that makes sense for how you're implementing things, that's the way to go!
サインインしてコメントを残してください。
コメント
1件のコメント