Unexpected access token restrictions
Hi,
Context
I am developing a custom app (client_id: 8zymxbbyb908n7nmhntdchh3nwi7u3o5), which is supposed to open a file for commenting etc, only using the box API. The service itself, including the oauth2 flow, is setup and seems to work properly.
Problem
When testing the app through typing this URL:
https://account.box.com/api/oauth2/authorize?response_type=code&client_id=8zymxbbyb908n7nmhntdchh3nwi7u3o5
box is prompting for a lot of permissions – see picture 1 – and everything seems to work well. The access token JSON returned has no attached restricted_to info.
Picture 1
However, when testing the app through right-clicking a file in box.com, Box only asks for "Read from file my file.mp4" permission, see picture 2.
Picture 2
This results in an access token with this attached object:
"restricted_to": [
{
"scope": "item_read",
"object": {
"type": "file",
"id": "815440821742",
"file_version": {
"type": "file_version",
"id": "873148946542",
"sha1": "2c585f32ecd2c08c3f8541901d49ed9893cc8f17"
},
"sequence_id": "1",
"etag": "1",
"sha1": "2c585f32ecd2c08c3f8541901d49ed9893cc8f17",
"name": "my file.mp4"
}
}
]
causing a 404 when asking to read the file's /tasks. /comments works for some reason.
Interestingly, the scope "item_read" is not listed as one of the possible scopes in the API docs: https://developer.box.com/reference/resources/access-token/#param-restricted_to-scope
My guess is that these two different ways to start the app gives different scoped access tokens.
My question is how to give my app a token that allows reading and writing comments and tasks, when launching by right-click and the Integrations menu.
I also attach some screenshots of app settings and integration settings (pictures 3 to 6).
Any help or clue is welcome!
Best regards,
Olov
Picture 3
Picture 4
Picture 5
Picture 6
-
One thing I discovered is that if I remove the #auth_code# query parameter in the integration (picture 1) and makes the frontend app redirect to this URL when missing an auth_code:
https://account.box.com/api/oauth2/authorize?response_type=code&client_id=${clientId}&redirect_uri=https://box.mydomain.dev
the user will be asked to give more privileges to the app and a new code will be sent received by the frontend app, hence getting /tasks will work. However this means that the user will be prompted about app access two times (picture 2 and picture 3), which seems wrong.
So, the question remains for me; how do we get box to ask for enough permissions when right-clicking a file and open in our integration!
Thanks in advance :)
Olov
Picture 1
Picture 2
Picture 3
サインインしてコメントを残してください。
コメント
2件のコメント