Getting currently logged in User with Enterprise App

回答済み

新規投稿

2017年08月17日 09:46

We have an Enterprise App, which authenticates via JWT to Box for our enterprise. It's developed only for our enterprise internal use. We are able to invoke AsUser to impersonate users successfully, if we know the UserID. We are designing this app so that any user who's already logged into Box (we use Okta) can load the app from an intranet url, and access information about their account, files, etc.

The problem we are trying to solve, is how to pass the information from the browser of who the currently logged in user is to the app. We are using the Box NodeJS SDK. Since this is being done with the enterprise app (JWT) we won't be using the OAuth protocol. Can this be done with our current setup, without writing a separate app (with oauth) to be used as a go-between? Thank you.

7件のコメント

tralston

2017年08月17日 09:47
Let me further clarify that all we are looking to get is the UserID of the currently logged in user. Or if there's some other session/authentication token that is compatible with the BOX NodeJS SDK to identify a user that can then be impersonated with AsUser, that works too.
0

コメントアクションパーマリンク

kendomen

2017年08月17日 10:39

if you have an email, you can get the userId like this

// adminClient is from jwt
adminAPIClient.enterprise.getUsers({filter_term: 'ken.domen@nike.com'}, function (err, data) {
        var userId = data.entries[0].id;
        console.log(email + ": " + userId)
        // do whatever..
});

tralston

2017年08月17日 17:56
What if I have absolutely nothing? I wouldn't trust an email address, some user could figure that out, and enter someone else's email address. It needs to figure out who the authenticated user is without any input whatsoever from the user, i.e. only from the browser session data. It also needs to be cross-browser (Chrome, IE, Firefox, etc.).
0

コメントアクションパーマリンク
kendomen

2017年08月18日 08:36
We use both oauth and jwt - https://github.com/kendomen/boxadmin/blob/master/app.js

https://github.com/kendomen/boxadmin

This is an example app that allows co-admins to run admin calls using jwt.
0

コメントアクションパーマリンク
tralston

2017年08月18日 17:18
Thank you for a great example. I will look through this more. Am I understanding it correctly that you have two apps authenticating to box? A JWT and an OAuth app? From the dev console, it looks like you have to choose one authentication scheme or another, but not both. If this is true, you have the user login with the Express Passport-Box module (via the OAuth app), which then passes the user id info back to the nodejs server which uses a second app (JWT) to connect to the admin side of things. Am I far off?
0

コメントアクションパーマリンク
kendomen

2017年08月21日 07:25
You're right. I have 2 box applications used by one webapp.

We created this app to allow normal users (oauth) to be able to perform admin actions (jwt) because we needed to scale out our support team.

One is used to authenticate the user using oauth.
The other is used to perform actions that is beyond the authenticated user's scope.

An example of an action is "update email address".
To do that, there's these steps:
     1. transfer content from the old user to the new user
     2. delete the old user
     3. add email alias
     4. update the alias to be the primary email
     5. remove email alias
0

コメントアクションパーマリンク
tralston

2017年08月21日 13:16
Thanks for the great explanation and example.
0

コメントアクションパーマリンク

サインインしてコメントを残してください。