JWT service account: how to generate access tokens for individual user accounts

新規投稿

2017年07月20日 04:21

According to the docs, a service account allows to "generate OAuth 2.0 access tokens for individual user accounts, instead of going through the normal OAuth 2.0 flow."

I am unable to find any documentation on how to achieve this, i.e. given I've setup JWT authentication with the "generate access tokens" permissions, an enterprise admin has authorized my app, and there's a user account X belonging to that enterprise, I want to generate an access token that gives me files read/write access just for account X (so, identical to a user token that I would retrieve from account X if I had the account owner go through the normal Oauth2 flow)

I see there's a new "Tokens Exchange" functionality which I suppose I should use to get a properly scoped access token out of my service account token, but I see no way to specify the account that I want the new token to be valid for

4件のコメント

kendomen

2017年07月20日 06:47

Here's a java example for getting a managed user.

public static void main(String[] args) throws Exception {

        File keyFile = new File(PRIVATE_KEY_FILE);
        byte[] fileData = new byte[(int) keyFile.length()];
        DataInputStream dis = new DataInputStream(new FileInputStream(keyFile));
        dis.readFully(fileData);
        dis.close();

        String privateKey = new String(fileData);

        JWTEncryptionPreferences encryptionPref = new JWTEncryptionPreferences();
        encryptionPref.setPublicKeyID(PUBLIC_KEY_ID);
        encryptionPref.setPrivateKey(privateKey);
        encryptionPref.setPrivateKeyPassword(PRIVATE_KEY_PASSWORD);
        encryptionPref.setEncryptionAlgorithm(EncryptionAlgorithm.RSA_SHA_256);

        IAccessTokenCache accessTokenCache = new InMemoryLRUAccessTokenCache(MAX_CACHE_ENTRIES);

        BoxDeveloperEditionAPIConnection api = BoxDeveloperEditionAPIConnection.getAppEnterpriseConnection(
                ENTERPRISE_ID, CLIENT_ID, CLIENT_SECRET, encryptionPref, accessTokenCache);

        BoxUser.Info userInfo = BoxUser.getCurrentUser(api).getInfo();
        System.out.format("Welcome, %s!\n\n", userInfo.getName());

        Iterable managedUsers = BoxUser.getAllEnterpriseUsers(api, "ken.domen@nike.com");
        for (BoxUser.Info managedUser : managedUsers) {
            System.out.println(managedUser.getName() + " " + managedUser.getStatus());
            if (managedUser.getStatus().equals(BoxUser.Status.ACTIVE)) {

                // BoxDeveloperEditionAPIConnection. getAppUserConnection() is used to get AppUser or ManagedUser
                // in this example, I'm getting a managedUser (ken.domen@nike.com)
                BoxDeveloperEditionAPIConnection userApi = BoxDeveloperEditionAPIConnection.getAppUserConnection(managedUser.getID(), CLIENT_ID, CLIENT_SECRET, encryptionPref, accessTokenCache);

                BoxFolder boxFolder = new BoxFolder(userApi, "0");
                Iterable items = boxFolder.getChildren();
                for (BoxItem.Info item : items) {
                    if (item instanceof BoxFile.Info) {
                        BoxFile.Info fileInto = (BoxFile.Info) item;
                        System.out.println("\t" + item.getName());
                    }
                }
            }
        }
    }

dtheodor

2017年07月27日 08:37
Um ok. I suppose if I dig into the Java SDK implementation I will find out how to construct the appropriate HTTP calls? And this snippet gets a personal user token out of a service account token right?
0

コメントアクションパーマリンク
camporesi

2017年07月28日 01:17
I'm running the same code and it works for all the AppUser, but returns error 400 for the managed Users.

JAvadoc says that method getAppUserConnection is for AppUser only.

Should it work also for managed users ?
0

コメントアクションパーマリンク
kendomen

2017年07月28日 07:28
Yes it works for managed users as well. Do you have "Perform Actions as Users" enabled?
0

コメントアクションパーマリンク

サインインしてコメントを残してください。