Accessing external folders

Hi , I'd stay away from the App Token and consider JWT or OAuth instead. 

The first question I'd try to answer is: "who" are you syncing this content for. If it's a real human being then I'd recommend they authenticate with OAuth 2.0 and you sync the files on their behalf using their own credentials. And yes, this does mean keeping the access token and refresh token fresh.

If you are instead syncing behalf of the enterprise or a service, and not a specific human Box user, then you should instead look into JWT. There are 2 ways to act on behalf of users with JWT. One is to use the `As-User` header (which you noticed doesn't work with external links), the other is to use JWT to create a `User Access Token`. 

https://developer.box.com/guides/authentication/jwt/user-access-tokens/

This method creates an access token / refresh token for the targeted user directly, rather than creating a service account access token and then using a header to act on behalf of another user.

 thank you for the response!

I am synching files on behalf of the enterprise.

To give more context, those files are CSV files that the App would essentially retrieve, parse, and update our Database.

That is the reason why I stayed away from OAuth 2.0.

I have been able to get one of your suggestions going: creating a "User Access Token" with JWT. The problem with that approach is that the app needs to be granted enterprise level access which is a really big scope. In other words, our app would be able to impersonate any users in our Box account when we only need it to impersonate only 1 user (the one that this external folder has been shared with.)

I have not been able to get the As-User working with JWT authentication, but will give it another go. I either got forbidden or not found errors. Even if that works, I assume the app will still need the same "enterprise level" access, is that correct?

 I understand your problem. You want to act on behalf of the enterprise, but only access one user's files. To do this I'd recommend going a slightly different route: inviting the service account of your JWT app as a user on the folder that will contain the files.

By sharing the folder with the JWT app's service account you don't actually need to act on behalf of any user, instead you just access files the JWT app has been explicitly invited to. Would that work?

 so this is the same approach I tried when I used the App Token method. I'll explain the workflow so please correct me if I am doing anything wrong.

1. I used the endpoint https://api.box.com/2.0/users/me to expose the Login of the app (an email like identity that ends in boxdevedition.com)
2. I request the external organization to share their folder with that Login

Now this worked perfectly when testing using an account that did not have Custom Terms of Service, but the organization that is sharing their folder with us has Custom ToS enabled.

That blocks the app from accessing the folder until accepting the ToS. I was not able to get the tos_id with App Token

Now, with the JWT approach:

1. Same thing as above, I get the Login value for the service account using the https://api.box.com/2.0/users/me endpoint
2. I share the folder from an external Box account (a dummy account I created to reproduce architecture) with that Login
3. I do see the pending invite using the https://api.box.com/2.0/collaborations?status=pending endpoint
4. I do see the terms of service id for that collaboration using https://api.box.com/2.0/collaborations/xxx?fields=acceptance_requirements_status -- this is actually a step further than I got using App Token as it wouldn't return the tos_id but with JWT, it does
5. I get an invalid user when attempting to create new ToS status for the service account using https://api.box.com/2.0/terms_of_service_user_statuses (invalid value 'xxx'. 'user' with value 'xxx' not found) where xxx is the id of the app I got from getting the current user info endpoint

And that's as far as I get

 just to add to my previous message.

So I tried yet another approach that got me one step further but still fails:

• Created an App User (instead of using service account)
• Share external folder with new App User
• App User is able to see the pending collaboration
• App User is able to see the requirements for collaboration
• The App is able to accept the Custom ToS for App User using the "As-User" header for App User ID (this is new)
• BUT App User fails the "user_has_two_factor_authentication_enabled" requirement, and thus unable to accept the pending collaboration of an external folder

Any help would be greatly appreciated. Thank you!

Ok in that case we have one final option I think: you create a managed user in your own enterprise instance and use your app to act on their behalf (this should work on enterprise level because it is in your own org, and you can accept the T&C in that case, as well as set up 2FA). 

One additional option would be to put things on its head, and instead have your app user share a folder they own with the managed user in your external enteprise.

Hi  thank you for all of your help.

The second option would have probably worked best.

In the end, the way we solved this was by having the App live on its own Box account with enterprise access. Since there's only 1 user, there's no longer that security concern that it can have access to all the users in our org.

The external organization shared their folder with that 1 user, the App impersonates it and has access.

Thank you!

👏 That works great too, especially if you only have one client to work with. If you had multiple enterprises you had to sync with this could get rather costly. 👍🏻