Hello -
I am working on a custom application that requires the use of annotations on files. I am consistently running into issues with annotations. Our application utilizes JWT for authentication.
When attempting to downscope the access token with scopes needed for the UI elements + annotations, I consistently get “Insufficient permissions” for the downscoped token. Upon looking at the permissions for my file using the downscoped token, I notice that there are additional permissions that are not enabled despite following the scopes outlined in the documentation:
Downscoped access token (scopes: base_preview item_download item_upload annotation_edit annotation_view_all base_sidebar item_comment item_preview)
{
"type": "file",
"etag": "0",
"permissions": {
"can_download": true,
"can_preview": true,
"can_upload": true,
"can_comment": true,
"can_rename": false,
"can_delete": false,
"can_share": false,
"can_set_share_access": false,
"can_invite_collaborator": false,
"can_annotate": true,
"can_view_annotations_all": true,
"can_view_annotations_self": true,
"can_create_annotations": false,
"can_view_annotations": false
}
}
Using an access token that has never been downscoped will have those “can_create_annotations” and “can_view_annotations” permissions as true. The behavior with that token is that I can annotate just fine, but any downscoped token cannot perform annotations at all. I can’t figure out if that is causing the issue or I am missing something else. I’m using the box-annotations library alongside the content preview + sidebar via cdn.
So instead, I went to the “Annotator Token” workflow and it ends up never working. I always get the same error {"error":"invalid_grant","error_description":"There was an error in the "actor_token". Algorithm not allowed"}
- using the exact same steps to generate the assertion as the main access token (which works!). It’s being generated with the RS256 algorithm but it still rejects it. I was wondering if there was an issue with the assertion generated, but as it’s working fine to get the initial access token, I am just a little baffled.
Any advice or guidance would be greatly appreciated. I am not sure if this is the correct area to place this in.