Trouble generating (or identifying) the correct token for file upload

新規投稿

コメント

14件のコメント

  • BobFlynn-IU

    Hey ,

     

    You'll have a better shot getting this answered on the Box Developer Forum. Perhaps , could move the thread there.

     

    Bob 

    0
    コメントアクション パーマリンク
  • davemroz

    Thanks. I reposted at https://community.box.com/t5/Box-Developer-Forum/Trouble-generating-or-identifying-the-correct-token-for-file/m-p/52988#M4253/

     

    Feel free to lock, close, or delete this thread.

    0
    コメントアクション パーマリンク
  • mwiller

     By default, apps do not have permission to generate tokens for arbitrary users.  You'll need to ensure that the app has the "Generate User Access Tokens" feature toggled on in the Configuration tab in the Box Developer Console:

    Screen Shot 2018-03-12 at 5.44.00 PM.png

    Noe that changing this setting will also require the enterprise admin to reauthorize your app in any enterprises it is being used in.

    0
    コメントアクション パーマリンク
  • davemroz

    Thanks!

     

    That setting is certainly on in my profile.  I'll try reauthorizing the permissions, but I'm pretty sure I've done that.

    Two quick follow on questions:

    1) Is my logic/code otherwise correct? (assuming the need for reauthorization does the trick)?

    2) I have "perform actions as users" enabled.  Is that ok/correct?  

    0
    コメントアクション パーマリンク
  • mwiller

     I can't really speak to the correctness of your code by sight-reading it — you'll have to run it and see.  The "Perform Actions As Users" feature allows an admin or service account to impersonate other users by setting the "As-User" header.  If you're not using that header, you shouldn't need that setting to be turned on.

     

    Also, it looks like you're writing all of this in C# — is there something that prevented you from using the Box .NET SDK?  My team maintains that SDK, so if it's lacking some necessary functionality we would love to know!  The SDK should handle operations like file upload for you, so you don't need to worry about writing it all yourself.

    0
    コメントアクション パーマリンク
  • davemroz

    I really appreciate the insight.

     

    the code compiles and runs...but returns an error. If the line about generating the user token by id (email) is correct then I'm comfortable chasing down permissions errors in the portal. I've just been all over the place with code and errors that its getting confusing.

     

    As for the sdk, I am using it for the adminToken but tried to switch out so that i could more easily troubleshoot the process in a synchronous environment because it's an asp.net web application. I had that code working perfectly with a bearer token and then when I switched away to the auth keys things went sideways so i was trying to at least use part of what I knew was working to troubleshoot the entire thing because the async calls were causing issues.  If you happen to have an asp.net forms sample, I'll gladly dissect they to see if I can make my code work.

     

    Thanks again. It's much appreciated.

    0
    コメントアクション パーマリンク
  • mwiller

     I'm not sure if this is what you meant, but the user ID is NOT the user's email address.  It's their numeric ID — see the id file of the user object for more information.  One way you can get this ID by searching the users in the enterprise for the one with the email address you already know (using the filter_term parameter of that API endpoint).

    0
    コメントアクション パーマリンク
  • davemroz

    Ok, that was certainly part of the problem!  Putting in the correct UserID eliminated the initial error.


    But now I'm seeing the following:

    {"error":"invalid_grant","error_description":"Please check the 'sub' claim. The 'sub' specified is invalid."}

     

    Shouldn't that claim be automatically asserted when the AsUser parameter is defined when creating the AdminClient?

    0
    コメントアクション パーマリンク
  • mwiller

     The `sub` claim in the JWT should always be a Box ID — depending on the value of `box_sub_type` it would be either the ID of the user you're trying to generate tokens for, or the ID of the enterprise you're authenticating as the service account for.  There's an API guide on manually constructing JWT claims that has more information for you, in case you haven't seen it.  What sort of value are you currently using for `sub` and `box_sub_type`?

    0
    コメントアクション パーマリンク
  • davemroz

    Well, I tried to forget everything I've read and tried in the past few days and was just working through the sample code at https://github.com/box/box-windows-sdk-v2 trying to use just the libraries from nuget without manually constructing anything hoping that I could get this to work.

     

    If I just do the following, I get an error.

     

                var jsonConfig =
                    System.IO.File.ReadAllText(
                        "C:\\Users\\Dave\\Documents\\Visual Studio 2015\\Projects\\BoxTest\\BoxTest\\box.json");
    
                var boxConfig = BoxConfig.CreateFromJsonString(jsonConfig);
                var boxJwt = new BoxJWTAuth(boxConfig);
    
                // Authenticate
                var adminToken = boxJwt.AdminToken(); //valid for 60 minutes so should be cached and re-used
                var adminClient = boxJwt.AdminClient(adminToken);
    
                //get a user client
                var userToken = boxJwt.UserToken(UserId); //valid for 60 minutes so should be cached and re-used
                var userClient = boxJwt.UserClient(userToken, UserId);

     

    In this case shouldn't specifying the UserID automatically add the correct claims for JWT?

     

    The error is:

    {"error":"invalid_grant","error_description":"Please check the 'sub' claim. The 'sub' specified is invalid."}

     

     

    0
    コメントアクション パーマリンク
  • mwiller

     Definitely, the SDK should be making the request correctly.  I looked at the SDK code, and it basically just takes whatever string you pass it for the user ID and puts that in the sub claim.  What is the actual value of UserId in this case?  It should generally look like a string of digits, e.g. "12345678".

    0
    コメントアクション パーマリンク
  • davemroz

    private const string UserId = "532374";

    0
    コメントアクション パーマリンク
  • davemroz

    Per fiddler request (body)

    grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer

     

    and raw response:

    HTTP/1.1 400 Bad Request
    Date: Tue, 13 Mar 2018 23:41:29 GMT
    Content-Type: application/json
    Content-Length: 109
    Cache-Control: no-store
    Strict-Transport-Security: max-age=31536000
    Set-Cookie: box_visitor_id=5aa861a75e9cd0.81480970; expires=Wed, 13-Mar-2019 23:41:29 GMT; Max-Age=31536000; path=/; domain=.box.com; secure
    Set-Cookie: bv=OPS-42232; expires=Tue, 20-Mar-2018 23:41:29 GMT; Max-Age=604800; path=/; domain=.app.box.com; secure
    Set-Cookie: cn=0; expires=Wed, 13-Mar-2019 23:41:29 GMT; Max-Age=31536000; path=/; domain=.app.box.com; secure
    Set-Cookie: site_preference=desktop; path=/; domain=.box.com; secure
    Age: 2
    Connection: keep-alive

    {"error":"invalid_grant","error_description":"Please check the 'sub' claim. The 'sub' specified is invalid."}

    0
    コメントアクション パーマリンク
  • mwiller

     Since your ID looks valid, I suspect this might be an issue with the actual user you're trying to generate tokens for.  Can you verify the following for me?

     

    1) The user ID is actually correct and points to the user you expect it to

    2) That user is either an app user or a managed user in your enterprise

     

    The second one is pretty important — the user MUST belong to the enterprise that authorized your app, and cannot be a free user or personal account not associated with the enterprise.

    0
    コメントアクション パーマリンク

サインインしてコメントを残してください。