Skip to main content

Permission issues with Annotations with downscoped tokens


Hello -


I am working on a custom application that requires the use of annotations on files. I am consistently running into issues with annotations. Our application utilizes JWT for authentication.


When attempting to downscope the access token with scopes needed for the UI elements + annotations, I consistently get “Insufficient permissions” for the downscoped token. Upon looking at the permissions for my file using the downscoped token, I notice that there are additional permissions that are not enabled despite following the scopes outlined in the documentation:


Downscoped access token (scopes: base_preview item_download item_upload annotation_edit annotation_view_all base_sidebar item_comment item_preview)


{

    "type": "file",

    "etag": "0",

    "permissions": {

        "can_download": true,

        "can_preview": true,

        "can_upload": true,

        "can_comment": true,

        "can_rename": false,

        "can_delete": false,

        "can_share": false,

        "can_set_share_access": false,

        "can_invite_collaborator": false,

        "can_annotate": true,

        "can_view_annotations_all": true,

        "can_view_annotations_self": true,

        "can_create_annotations": false,

        "can_view_annotations": false

    }

}


Using an access token that has never been downscoped will have those “can_create_annotations” and “can_view_annotations” permissions as true. The behavior with that token is that I can annotate just fine, but any downscoped token cannot perform annotations at all. I can’t figure out if that is causing the issue or I am missing something else. I’m using the box-annotations library alongside the content preview + sidebar via cdn.


So instead, I went to the “Annotator Token” workflow and it ends up never working. I always get the same error {"error":"invalid_grant","error_description":"There was an error in the "actor_token". Algorithm not allowed"} - using the exact same steps to generate the assertion as the main access token (which works!). It’s being generated with the RS256 algorithm but it still rejects it. I was wondering if there was an issue with the assertion generated, but as it’s working fine to get the initial access token, I am just a little baffled.


Any advice or guidance would be greatly appreciated. I am not sure if this is the correct area to place this in.

0 replies

Be the first to reply!

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings