Hi @Niladri
Does the user/service account associated with the token you downscoped actually has access to the item?
Hi @rbarbosa,
Yes, I am using service account, it does have access to the item. I am able to access the files present in the folder for which I have created downscoped token.
I have folder structure like A > B > C, where A is parent folder. I am generating a downscoped token for folder C.
The A folder is present on Box account (Note: The A folder is not present on service account). The A folder has given collaborator access to Service account.
Even if the A folder is in the Service account, I’m still getting the error.
Hi @rbarbosa /Team,
This is a critical issue currently we have, do you have any solution?
Regards,
Niladri
Hi @Niladri ,
I’m having trouble replicating your issue, and I’m forced to make a lot of assumptions, but I’m getting no where.
When you say widget, I’m assuming you’re talking about the Content Explorer UI Element, is that correct?
Also what are you using to downscope the token? Direct REST call, Python SDK, something else?
And the error shows only on the search, could you paste the error from the browser console?
Help me replicate the issue if you can.
Cheers
HI @rbarbosa
As mentioned in the description, I am using Content Explorer UI Element and I am using Java SDK to downscope the token.
You can replicate the issue using following these steps:
Create a custom app with JWT authentication and give the follwing permissions
Create a box connection using Service account
BoxDeveloperEditionAPIConnection api = BoxDeveloperEditionAPIConnection.getAppEnterpriseConnection(boxConfig, tokenCache);
Create a folder in service account
BoxFolder parentFolder = new BoxFolder(api, “0”);
BoxFolder.Info childFolderInfo = parentFolder.createFolder(“Demo Folder”);
Generate downscoped token with the following scopes and
//replace folderId with above created folder Id
String resource=https://api.box.com/2.0/folders/{{folderId}}
List scopes = new ArrayList();
scopes.add(“item_preview”);
scopes.add(“item_upload”);
scopes.add(“base_explorer”)
scopes.add(“item_download”);
scopes.add(“item_rename”);
scopes.add(“item_delete”);
//Use the connection object created in step 2
ScopedToken dsToken = api.getLowerScopedToken(scopes, resource);
String token = dsToken .getAccessToken();
//before using token in Content Explorer Widget add necessary origins in "Allowed origin section of Box’s Custom App configuration
5. Use the downscoped token in the Content Explorer Widget.
6. The upload, preview, rename, download, delete operation on Content Explorer Widget should be working perfectly.
7. Try searching for any files in the search bar of Content Explorer Widget, it should show “insufficient scope” error in Header section of network tab.
I have no experience with Content Explorer. I will look into that.
Just to make sure this is not an SDK issue you could try and get downscoped token using CURL: https://developer.box.com/guides/authentication/tokens/downscope/
Hi @kberdychowski ,
This is not an SDK issue. Even if I generate downscoped token using curl, use it in Content Explorer, I’m still facing the same issue.
Hi @Niladri ,
I can’t replicate this behavior, I’m sure I’m missing something that sounds obvious for your use case but it is not clear for me.
So I downscoped the token to the customers folder:
And use it on the explorer, searching for “acme”
Of course the explorer now needs to start at the folder for which the downscope token has been created…
Other than this, I don’t see where it is failing.
Let us know if this has any applicability to your use case.
Hi @rbarbosa ,
Are you using custom app with JWT authentication?
If yes, May I know what are the configurations you have set for the same?
Hi @Niladri ,
No, that was postman OAuth.
However I tested with a JWT app and got your error.
Interestingly with both a shared folder from another user and an owned folder from the service account.
I maybe missing something, but behavior is not expected, let me ping the UI Elements team and see what they have to say.
Cheers
Hi @rbarbosa,
It’s a relief to know that the issue has been successfully reproduced. I’m looking forward to hearing back from you.