Our Use Case:
We are a SaaS vendor with security concious enterprise customers. We recommend that our customers connect their cloud storage provider (e.g., Google Drive) so that we can import configuration files and export report files. We would like to add Box to our list of supported cloud storage providers. We would be implementing a Box custom app.
Our current recommendation to our customers for other cloud storage providers:
- Create a cloud storage user account specifically for our app, with access only to folders intended for import/export.
- From within our application, the organization admin enables the integration to their cloud storage provider (we have a plugin/app concept).
- On integration enablement, we start an OAuth2 flow; the customer enters the user described above, and we obtain the temporary code (i.e., ?code=… on the redirect).
- We immediately send the temporary code to our server.
- The server exchanges the temporary code for a refresh token (i.e., this is to avoid the client_secret being exposed via our single page app).
- The refresh token is persisted in our database.
- Periodically, a daemon process will exchange the refresh token for an access token and check for new files in the import folder using the cloud storage API. Based on certain triggers, new files are uploaded to the export folder, once again by exchanging the refresh token for an access token and invoking the cloud storage API.
This seems to be similar to the service account (automation user) flow described in the Box documentation.
Our first question: should we implement the integration as we’ve outlined above, or should we use the service account flow?
If we are using the service account flow, is the following correct:
We would implement JWT authentication.
We would publish our app to the Box App Gallery.
A Box enterprise-admin for our customer would install and enable our Box app in their enterprise. This would give them a unique service user email address.
From within our app, the customer would enter the service user email address, which we would persist as part of their organization’s configuration.
Our daemon process and the triggered workflows would use the JWT server-to-server authentication.
We understand from blog posts that at the time this is being written, JWT authentication is not available via the free developer account. We don’t mind paying for a small enterprise for development; will a 3-user Business Start plan work, a 3-user Business plan, or something else?
If we are using the OAuth2 flow, we had some questions regarding the refresh token:
- We noted that a refresh token can only be exchanged once and that it expires after 60 days.
- We followed your docs and spun up the client-side OAuth flow pretty easily, but we haven’t implemented the server-side exchange, so we’re not sure exactly what the refresh token exchange looks like. Is it the case that each time you exchange a refresh token you receive an access code and a new refresh token? If so, is the new refresh token good for another 60 days? Other providers, have an additonal property access_type=offline that is passed on the initial OAuth request. This is not mentioned in your docs, will our server be able to exchange token without a browser?
Also, we would like to clarify the best practices we recommend to our customers. We recommend that reports be stored in their cloud storage account so that they then have complete control over the sharing and retention policy for these reports. For example, we generate reports that contain PHI and must be shared only with certain individuals. We advise our customers to share the export folder with the appropriate personnel using groups or role-based access control and that they use the data retention policies of the cloud storage provider to ensure that the reports are deleted after a certain period of time. Note that we are using “export folder” generically. There are sub-folders for different types of reports and they are typically produced daily with a date-based naming convention. Do you have any guidance for how our customers should configure their box account given this use case?