Permission issues with Annotations with downscoped tokens

8 months ago
June 13, 2024
0 replies
79 views

user257
New Participant

Hello -

I am working on a custom application that requires the use of annotations on files. I am consistently running into issues with annotations. Our application utilizes JWT for authentication.

When attempting to downscope the access token with scopes needed for the UI elements + annotations, I consistently get “Insufficient permissions” for the downscoped token. Upon looking at the permissions for my file using the downscoped token, I notice that there are additional permissions that are not enabled despite following the scopes outlined in the documentation:

Downscoped access token (scopes: base_preview item_download item_upload annotation_edit annotation_view_all base_sidebar item_comment item_preview)

{

    "type": "file",

    "etag": "0",

    "permissions": {

        "can_download": true,

        "can_preview": true,

        "can_upload": true,

        "can_comment": true,

        "can_rename": false,

        "can_delete": false,

        "can_share": false,

        "can_set_share_access": false,

        "can_invite_collaborator": false,

        "can_annotate": true,

        "can_view_annotations_all": true,

        "can_view_annotations_self": true,

        "can_create_annotations": false,

        "can_view_annotations": false

    }

}

Using an access token that has never been downscoped will have those “can_create_annotations” and “can_view_annotations” permissions as true. The behavior with that token is that I can annotate just fine, but any downscoped token cannot perform annotations at all. I can’t figure out if that is causing the issue or I am missing something else. I’m using the box-annotations library alongside the content preview + sidebar via cdn.

So instead, I went to the “Annotator Token” workflow and it ends up never working. I always get the same error {"error":"invalid_grant","error_description":"There was an error in the "actor_token". Algorithm not allowed"} - using the exact same steps to generate the assertion as the main access token (which works!). It’s being generated with the RS256 algorithm but it still rejects it. I was wondering if there was an issue with the assertion generated, but as it’s working fine to get the initial access token, I am just a little baffled.

Any advice or guidance would be greatly appreciated. I am not sure if this is the correct area to place this in.

Be the first to reply!

Reply

Rich Text Editor, editor1

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos

Reply

Related topics

Box sign template problemicon

404 Error When Adding Sign Templateicon

Sender and Signer fields indistinguishable

Introducing: Template APIs for Box Sign!

Box Sign API Template Signers do not include label field in SDK'sicon

Most helpful members this week

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings