Skip to main content

Hello -



I am working on a custom application that requires the use of annotations on files. I am consistently running into issues with annotations. Our application utilizes JWT for authentication.



When attempting to downscope the access token with scopes needed for the UI elements + annotations, I consistently get “Insufficient permissions” for the downscoped token. Upon looking at the permissions for my file using the downscoped token, I notice that there are additional permissions that are not enabled despite following the scopes outlined in the documentation:



Downscoped access token (scopes: base_preview item_download item_upload annotation_edit annotation_view_all base_sidebar item_comment item_preview)



{

"type": "file",

"etag": "0",

"permissions": {

"can_download": true,

"can_preview": true,

"can_upload": true,

"can_comment": true,

"can_rename": false,

"can_delete": false,

"can_share": false,

"can_set_share_access": false,

"can_invite_collaborator": false,

"can_annotate": true,

"can_view_annotations_all": true,

"can_view_annotations_self": true,

"can_create_annotations": false,

"can_view_annotations": false

}

}



Using an access token that has never been downscoped will have those “can_create_annotations” and “can_view_annotations” permissions as true. The behavior with that token is that I can annotate just fine, but any downscoped token cannot perform annotations at all. I can’t figure out if that is causing the issue or I am missing something else. I’m using the box-annotations library alongside the content preview + sidebar via cdn.



So instead, I went to the “Annotator Token” workflow and it ends up never working. I always get the same error {"error":"invalid_grant","error_description":"There was an error in the "actor_token". Algorithm not allowed"} - using the exact same steps to generate the assertion as the main access token (which works!). It’s being generated with the RS256 algorithm but it still rejects it. I was wondering if there was an issue with the assertion generated, but as it’s working fine to get the initial access token, I am just a little baffled.



Any advice or guidance would be greatly appreciated. I am not sure if this is the correct area to place this in.

Be the first to reply!

Reply