I have created application with Client Credentials Grant and when i am trying to use it with box_subject_type=user. i am getting “Grant credentials are invalid” error.
I have checked client ID and client secret and user ID. Also I have checked App Access Only as i am trying with user subject type
Note: I am using newly created free account without any subscription or trial
Best answer by rbarbosa Box
Hi there, this is expected.
It all depends on which user are you authenticating with CCG. Note the small print where it says
Access to content is further restricted by the users’ permission and Access Token used.
Here are some scenarios.
Using:
box_subject_type = enterprisebox_subject_id = 877840855curl --location 'https://api.box.com/2.0/users/me?fields=id%2Ctype%2Cname' \
--header 'Authorization: Bearer j5...Vg' \
Outputs
{
"type": "user",
"id": "20706451735",
"name": "CCG"
}
and the root folder items:
curl --location 'https://api.box.com/2.0/folders/0/items' \
--header 'Authorization: Bearer j5...Vg' \
outputs:
{
"total_count": 0,
"entries": [],
"offset": 0,
"limit": 100,
"order": [
{
"by": "type",
"direction": "ASC"
},
{
"by": "name",
"direction": "ASC"
}
]
}
This means the service user CCG has no files in their root folder.
Any account wont be able to see content from another account unless it has been explicitly shared between them.
However service account have a super power, they can impersonate another managed user.
You can do this 2 ways, use the as-user header to impersonate another user, or login directly with that user, if you have these configurations active:
Let’s start with the `as-user’:
curl --location 'https://api.box.com/2.0/users/me?fields=id%2Ctype%2Cname' \
--header 'as-user: 18622116055' \
--header 'Authorization: Bearer j5...Vg' \
Outputs:
{
"type": "user",
"id": "18622116055",
"name": "Rui Barbosa"
}
Listing root folder items:
curl --location 'https://api.box.com/2.0/folders/0/items?fields=id%2Ctype%2Cname' \
--header 'as-user: 18622116055' \
--header 'Authorization: Bearer j5Vg' \
Outputs:
{
"total_count": 31,
"entries": [
{
"type": "folder",
"id": "220421706333",
"etag": "0",
"name": "A_Class"
},
...
{
"type": "file",
"id": "1010742636771",
"etag": "1",
"name": "This is a box note.boxnote"
},
{
"type": "web_link",
"id": "22625801630",
"etag": "0",
"name": "Shared Folder - GBP Order Forms"
}
],
"offset": 0,
"limit": 100,
"order": [
{
"by": "type",
"direction": "ASC"
},
{
"by": "name",
"direction": "ASC"
}
]
}
Similar results can be obtained if you get the token for the CCG app using:
box_subject_type = userbox_subject_id = 18622116055curl --location 'https://api.box.com/2.0/users/me?fields=id%2Ctype%2Cname' \
--header 'Authorization: Bearer Maf...cpY'
Outputs:
{
"type": "user",
"id": "18622116055",
"name": "Rui Barbosa"
}
If you are using one of our SDK’s, they have built in support for both the as-user and the box_subject_type
Let us know if this helps, cheers!
Hi, welcome to the forum!
Sorry, CCG is not currently working for free accounts.
Take a look below for some explanations and workarounds:
Let us know how we can help, some times temporarily using OAuth serves as a work around.
We even created a quick start app for this (in python):
Cheers
Hey @rbarbosa,
Thanks for the quick response, Problem is OAuth2.0 application needs user interaction which I do not want. Also I have checked with JWT token with box_sub_type “user” and it throws “Please check the ‘sub’ claim. The ‘sub’ specified is invalid.” Error. So, is it expected behavior for free account in JWT app
Hi,
About oAuth, you are correct of course, however the point is temporarily…
If you do a quick test with the app, you’ll notice that it will ask for the user authorization to the app once, and then caches the access token and refresh token. After this one time authorization it continues to cache the new tokens.
The access token is valid for 60 minutes while the refresh token is valid for 60 days. This means that the application is used at least once every 60 days, you won’t get the user authorization prompt again.
However this is only a workaround to get you going, later you can easily replace the oAuth authentication with JWT or CCG.
About JWT and CCG authentication in Box, these wont work for free accounts because they need to be authorized in the admin console and the free accounts do not have access to the admin console.
Just for illustration, this is a 2 step process.
First you submit the app for approval in the developer console:
and then the administrator has to approve the app in the administration console:
If the oAuth workaround really doesn’t work for you, what other options can you consider?
If you are working for an entity which already is a Box enterprise customer, then you can request them to create a sandbox, which has no limitations.
Other options include a free trial of a business plan or a $20/month business plan.
Can you give us a bit more context on what your project is?
Cheers
@rbarbosa, No problem, currently I have found one work around for this issue using oAuth application. but I want to just confirm are you planning to add support for JWT/CCG in the future for the free account as you mentioned temporarily solution.
About my project I am writing one automation script to fetch file content from the box server and then I am planning to deploying it in the cloud server. So, to run the script I am just passing the client creds and then start the automation script. So, currently I am trying to ignore user interaction as much as possible.
Thanks.
Great!
And yes, the fully functional free developer account should be back at some point.
Out engineering is currently finding ways to prevent the abuse reported, while still keeping the full developer functionality.
Cheers
@rbarbosa, I have enable my 15 day trail for Enterprise Account. But after generating access token with CCG, I am unable to get the data. while I am listing the folders items using https://api.box.com/2.0/folders/0/items but it show 0 entries in response with (200 response) but while using developer token I got full response.
Do I need to add any permissions to fetch the files. Currently I have mark below two checkbox.
Hi there, this is expected.
It all depends on which user are you authenticating with CCG. Note the small print where it says
Access to content is further restricted by the users’ permission and Access Token used.
Here are some scenarios.
Using:
box_subject_type = enterprisebox_subject_id = 877840855curl --location 'https://api.box.com/2.0/users/me?fields=id%2Ctype%2Cname' \
--header 'Authorization: Bearer j5...Vg' \
Outputs
{
"type": "user",
"id": "20706451735",
"name": "CCG"
}
and the root folder items:
curl --location 'https://api.box.com/2.0/folders/0/items' \
--header 'Authorization: Bearer j5...Vg' \
outputs:
{
"total_count": 0,
"entries": [],
"offset": 0,
"limit": 100,
"order": [
{
"by": "type",
"direction": "ASC"
},
{
"by": "name",
"direction": "ASC"
}
]
}
This means the service user CCG has no files in their root folder.
Any account wont be able to see content from another account unless it has been explicitly shared between them.
However service account have a super power, they can impersonate another managed user.
You can do this 2 ways, use the as-user header to impersonate another user, or login directly with that user, if you have these configurations active:
Let’s start with the `as-user’:
curl --location 'https://api.box.com/2.0/users/me?fields=id%2Ctype%2Cname' \
--header 'as-user: 18622116055' \
--header 'Authorization: Bearer j5...Vg' \
Outputs:
{
"type": "user",
"id": "18622116055",
"name": "Rui Barbosa"
}
Listing root folder items:
curl --location 'https://api.box.com/2.0/folders/0/items?fields=id%2Ctype%2Cname' \
--header 'as-user: 18622116055' \
--header 'Authorization: Bearer j5Vg' \
Outputs:
{
"total_count": 31,
"entries": [
{
"type": "folder",
"id": "220421706333",
"etag": "0",
"name": "A_Class"
},
...
{
"type": "file",
"id": "1010742636771",
"etag": "1",
"name": "This is a box note.boxnote"
},
{
"type": "web_link",
"id": "22625801630",
"etag": "0",
"name": "Shared Folder - GBP Order Forms"
}
],
"offset": 0,
"limit": 100,
"order": [
{
"by": "type",
"direction": "ASC"
},
{
"by": "name",
"direction": "ASC"
}
]
}
Similar results can be obtained if you get the token for the CCG app using:
box_subject_type = userbox_subject_id = 18622116055curl --location 'https://api.box.com/2.0/users/me?fields=id%2Ctype%2Cname' \
--header 'Authorization: Bearer Maf...cpY'
Outputs:
{
"type": "user",
"id": "18622116055",
"name": "Rui Barbosa"
}
If you are using one of our SDK’s, they have built in support for both the as-user and the box_subject_type
Let us know if this helps, cheers!
@rbarbosa Thanks for the quick response. I have tried both the ways but getting below error while using as-user:
{
“type”: “error”,
“status”: 403,
“code”: “access_denied_insufficient_permissions”,
“help_url”: “http://developers.box.com/docs/#errors”,
“message”: “Access denied - insufficient permission”,
}
I have added below two permissions and reauthorized my app
and also for the next solution I am getting below error while generating the token {“error”:“invalid_grant”,“error_description”:“Grant credentials are invalid”} (I am able to generate token with box_subject_type=enterprise)
Let me know if I am missing something.
Thanks
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
