新しいBoxサポートサイトへようこそ。 変更点の詳細はこちらをご確認ください .

JWT token - does not access BOX account

回答済み
新規投稿

コメント

14件のコメント

  • kendomen

    Is your app "As-User" enabled?

    0
    コメントアクション Permalink
  • kp_response

    Hi kendomen

    Thanks for reply

    Good question.

    To eliminate app permission being the issue I have checked that and every permission. I tried creating app users and using their tokens also without success.

     

    Below settings, all checked

    Content
    	Read and write all files and folders stored in Box
    
    Enterprise
    	Manage enterprise
    	Manage users
    	Manage app users
    	Manage groups
    	Manage enterprise properties
    	Manage retention policies
    	Manage webhooks v2
    
    Select the set of scopes you will request users authorize when using your app
    	Advanced Features: 	Perform actions on behalf of users
    	Generate access tokens for users 

     

    0
    コメントアクション Permalink
  • kendomen

    Have you authorized the jwt app ?

     

    auth.png

    0
    コメントアクション Permalink
  • kp_response

    Also a good thought. I checked and it was authorized. I reauthorized and tried api calls and same issue

     

    https://www.screencast.com/t/kR7g394rRQ

    0
    コメントアクション Permalink
  • kp_response

    BTW the working developer token is generated in the app settings ... so that leads me to believe that it IS using that app... and working. However when I use the JWT it fails.

    0
    コメントアクション Permalink
  • LoCortes

    Good afternoon kp,

     

    I would tell that given that you do not receive an error but an empty array of results mean that everything is correctly set up.

     

    So... where is your problem? Basically, I think that it is related to the user you are using or the authentication method. There are the Enterprise and the User authentication modes. I understand that you are using the second one with a technical user, is that right? The technical user is assigned to any of folder where you want to find content? If the user is not added as a previewer at least no result will be found.

     

    Thanks

    0
    コメントアクション Permalink
  • kp_response

    I think that would perfectly explain the behavior.

    I am using OAuth2.0 with JWT - so I tried the enterprise user ... box_sub_type=enterprise and tried box_sub_type=user.

    How would I assign the app user or app any permissions to any directory?

    0
    コメントアクション Permalink
  • LoCortes

    Hello kp,

     

    basically, if you have created an APPUser will have an ID that is an autogenerated mail like this one: 

    AppUser_000000_j0f0Z0RAS4 (at) boxdevedition (dot) com

     

    That mail can be used as any other user, so you go to any folder with your account, click add collaborator and paste that mail account with the desired privileges. That user has to be able to do any action is allowed to then.

     

    Hope this helps.

    0
    コメントアクション Permalink
  • kp_response

    Hallelujah that works - thanks!

     

    I really don't understand though how this is meant to work. The api does not let you assign permissions to the objects in the BOX account itself. So you would have to either make the user load stuff through your api itself to ever access it... or workaround the process itself by creating the app user and adding that user to the folders you want in scope.

    Do you know if there is a way to just add the app itself vs app user - as collaborator? Or add a group (as collaborator) then add the user to the group?

     

     

    0
    コメントアクション Permalink
  • LoCortes

    Hello Kp!

     

    I am glad that we hit the right key 😉

     

    I understand that there are two ways to face this situation as you said:

     

    - The app user is the one with the control. So, with this user you create folders and invite collaborators with different roles, being the APP User the Owner of those folders.

    - The app user has to be invited because it is not the owner. As you said, you can add the appuser on a group and then as any other user this will have access only to what has to have access. 

     

    Probably, the real situation can end on a hybrid situation. 

     

    I think that what really matters on this aspect is this piece of configuration:

    BoxScreen_AppConfig.png

     

    If the application has enterprise access then can access everything in theory.

     

    If you have chosen Application then it behaves as a regular user: can create stuff on its own account but has to be invited to do things on folders of others.

     

    Regards

    0
    コメントアクション Permalink
  • kp_response

    Just to add... I thought some of these ideas were a strange way to manage permissions... since it ignored the ACL and permissions already in BOX.

    A BOX support person suggested add As-User header https://docs.box.com/reference#as-user-1 .... which turns out is exactly what I need here.

    1. Generate the token using the "box_sub_type=enterprise"
    2. Assuming that your app is being used by BOX user... and you know which user that is - get that user's id
    3. Make calls (where needed) using that users id in the As-User header

    The api will use the already established BOX file permissions.

    0
    コメントアクション Permalink
  • DeniseSouza

    I have tried this approach and hit a wall, my Application access is set to Enterprise, my code sets the 'box_sub_type' property to 'enterprise' I have also authorized the app on Entreprise settings with all permissions, but everytime I set the header  'As-User:xxxxx' I get the error

    Bearer realm="Service", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token."

    if I don't set the header then I get and empty list of folders.

    The accepted answer is ok, I haven't tried it as yet mainly because I think your solution should be the correct one.

    Do you have any suggestions on what else can I try?

     

    Kind Regards

     

    0
    コメントアクション Permalink
  • Murtza

     After updating application's permissions, did you re-authorize the application within the admin console? 

     

     eOdjhwY

    0
    コメントアクション Permalink
  • liquidlab1

    Hi loCortes,

     

    Can you please suggest me the way to create an user and link to the app. i couldn't re authorize the app. and i couldn't access the files within box account. please help us. 

    0
    コメントアクション Permalink

サインインしてコメントを残してください。