Skip to main content

Hello -



I am working on a custom application that requires the use of annotations on files. I am consistently running into issues with annotations. Our application utilizes JWT for authentication.



When attempting to downscope the access token with scopes needed for the UI elements + annotations, I consistently get “Insufficient permissions” for the downscoped token. Upon looking at the permissions for my file using the downscoped token, I notice that there are additional permissions that are not enabled despite following the scopes outlined in the documentation:



Downscoped access token (scopes: base_preview item_download item_upload annotation_edit annotation_view_all base_sidebar item_comment item_preview)



{


    "type": "file",


    "etag": "0",


    "permissions": {


        "can_download": true,


        "can_preview": true,


        "can_upload": true,


        "can_comment": true,


        "can_rename": false,


        "can_delete": false,


        "can_share": false,


        "can_set_share_access": false,


        "can_invite_collaborator": false,


        "can_annotate": true,


        "can_view_annotations_all": true,


        "can_view_annotations_self": true,


        "can_create_annotations": false,


        "can_view_annotations": false


    }


}


Using an access token that has never been downscoped will have those “can_create_annotations” and “can_view_annotations” permissions as true. The behavior with that token is that I can annotate just fine, but any downscoped token cannot perform annotations at all. I can’t figure out if that is causing the issue or I am missing something else. I’m using the box-annotations library alongside the content preview + sidebar via cdn.



So instead, I went to the “Annotator Token” workflow and it ends up never working. I always get the same error {"error":"invalid_grant","error_description":"There was an error in the "actor_token". Algorithm not allowed"} - using the exact same steps to generate the assertion as the main access token (which works!). It’s being generated with the RS256 algorithm but it still rejects it. I was wondering if there was an issue with the assertion generated, but as it’s working fine to get the initial access token, I am just a little baffled.



Any advice or guidance would be greatly appreciated. I am not sure if this is the correct area to place this in.

Be the first to reply!

Reply


Terms & ConditionsCookie settings