"as-user" Header throws "403Forbidden" in OAuth2.0/Custom-Application/Web-Integration

Hi @sarin-vt

With the information you sent us, it should work fine.

Assuming the access token has been granted to the Admin/Co-admin user, obtained after you set the Make API calls using the as-user header.

To exemplify:

curl --location 'https://api.box.com/2.0/users/me?fields=id%2Ctype%2Cname%2Clogin' \

--header 'Authorization: Bearer pi...ux'

Returns:

{

    "type": "user",

    "id": "18622116055",

    "name": "Rui Barbosa",

    "login": "barduinor@gmail.com"

}

With the as user:

curl --location 'https://api.box.com/2.0/users/me?fields=id%2Ctype%2Cname%2Clogin' \

--header 'as-user: 22240545678' \

--header 'Authorization: Bearer pi...ux'

Returns:

{

    "type": "user",

    "id": "22240545678",

    "name": "Wholesale User",

    "login": "barduinor+wh@gmail.com"

}

Notice the same bearer token is being used.

See if in your use case the call to the /users/me endpoint can help you diagnose the issue.

Hi @rbarbosa,

Thanks for your quick response. I just tried the curl example you posted above.

Without as-user header, I received the user details as expected, but I am getting an empty response, when I add the as-user header.

With Postman and Node-Sdk, I was getting 403 errors.

Can you check if i am missing something in my application or authentication types.??

Also I found this post in StackOverflow - box api - Using As-User in Box Request - Stack Overflow, which says We need approval from BOX to use the as-user header.

Thanks, Sarin

Hi @sarinvt

I’m sure I’m missing something obvious here…

The users that you are trying to impersonate with the as-user header, what type of users are they, are they human (AKA managed users), app users, service accounts perhaps?

if you do something like this using your as-user users ids, what do you get?

curl --location 'https://api.box.com/2.0/users/22240545678?fields=id%2Ctype%2Cname%2Clogin' \

--header 'Authorization: Bearer 4T...UzJ'

Example of a managed user:

{

    "type": "user",

    "id": "22240545678",

    "name": "Wholesale User",

    "login": "barduinor+wh@gmail.com"

}

Example of a service account:

        {

            "type": "user",

            "id": "18662356345",

            "name": "Administrator",

            "login": "AppUser_1715931_vt8XOps1Ff@boxdevedition.com"

        },

Example of an app user:

        {

            "type": "user",

            "id": "29598609450",

            "name": "Test APP User",

            "login": "AppUser_1841316_GlefZmyT1g@boxdevedition.com"

        },

As for the stack-overflow note, it’s from 2016…

I use the free developer account to do these tests and I was not required to send any email to enable the as-user.

This is how I have my application configured:

No Web App integration:

Do you have a single application configured, OAuth 2.0 + Web app integration or 2 distinct apps created, one for your Admin/co-admin and another for the web integrations?

Hi @rbarbosa

1. The user an try as-user is a normal human user., with Role - Member, I just ran the curl to get user details and copied the response below.

{

    "type":"user",

    "id":"340.....7",

    "name":"Aarya",

    "login":"aarya@fe...re.com"

}

2. I used the curl command again for /users/me and copied the response below,

This returned my user details as expected. My account’s Role - “Co-Admin”.. I used my account to authorize box and saved the AccessToken and Refresh token in database. My AccessToken is being used to access all these APIs.

{

     "type":"user",

     "id":"337...3",

     "name":"Sarin VT",

     "login":"sarin.vt@fe...re.com"

}

3. I have a single application configured, OAuth 2.0 + Web app integrations, and My configurations looks same yours.

I hope the above details help you figureout the issue.

Thanks, Sarin

Hi,

Well, it seems those are normal, human users.

Can you experiment by creating a new temporary OAuth 2.0 application, without the web integration part, to see if the as-user works as expected?

Hi @rbarbosa,

Just to give you an update. For the same application, when I used the “developer token”, I am able to work with “as-user” headers.

Thanks, Sarin

Hi @rbarbosa,

As you suggested, I just created a new “Test App”.

Generated new access-token using - new App’s clientId and Secret.

I haven’t configured any Web-Integrations in this application.

I am still facing same error, When I add as-user header it returned empty in curl.

Without as-user it returned my account details as expected.

Thanks, Sarin

That is an interesting data point.

When you create a developer token in the developer console, the underlying security context is the same as the user logged into box.com.

However from your screen shots it seems to be the same user (sarin_vt@…) as the other tests that do not works.

At this point we are spinning out wheels.

I see 2 options here:

• create a support ticket


• we jump on a call an try to diagnose this further.

If you want to explore this route, I’m on EST (UTC-4), could you send me a private message with your email and availability for the next few days?

Hi @rbarbosa , Thanks for you quick response.

This is urgent and high priority for us. I am on IST, but I can make myself available at your convenient time.

Thanks, Sarin

Great talking to you @sarin-vt !

Good luck for the project!

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.