Skip to main content
Question

Automating Access Token

  • May 23, 2025
  • 1 reply
  • 38 views
C
Forum|alt.badge.img

My Box app is currently using JWT authentication but not able to upload the files or get the files from my account. For this app, the service account also got generated. 

    1 reply

    C
    Forum|alt.badge.img

    Hi Rakshita,

    You're not giving us much to analyze...

    Typically this situation means you are trying to access your personal folder using a service account, for which you have not specifically granted access to.

    There are 2 options here, either you specifically grant access to the service account or you use the service account "as-user" flag and ask the service account to impersonate you, which is preferred.

    Consider this example in python:

    from boxsdk import JWTAuth, Client
    from boxsdk.object.file import File


    class CFG:
        """config class"""

        JWT_CONFIG_FILE = ".jwt.config.json"
        AS_USER = "18622116055"
        PARENT_FOLDER_ID = "0"  # folder id 0 is root folder


    def get_box_client(as_user: bool = False):
        """get a box client"""
        auth = JWTAuth.from_settings_file(CFG.JWT_CONFIG_FILE)
        service_client = Client(auth)
        if not as_user:
            return service_client
        user = service_client.user(CFG.AS_USER)
        return service_client.as_user(user)


    def print_items(items):
        """print items"""
        print("\n")
        print("Type\tID\tName")
        print("----\t--\t----")
        for item in list(items):
            print(f"{item.type}\t{item.id}\t{item.name}\t")


    def main():
        """main function"""

        client = get_box_client(as_user=False)

        # print current user info
        user = client.user().get()
        print(f"Current User: {user.name}\tid:{user.id}")

        users = client.users()
        for user in users:
            print(f"User: {user.name}\tid:{user.id}\tlogin:{user.login}")

        # list files in parent folder
        items = client.folder(CFG.PARENT_FOLDER_ID).get_items()
        print_items(items)

        # client impersonating a user
        client_as_user = get_box_client(as_user=True)

        # print current user info
        user = client_as_user.user().get()
        print(f"Current User: {user.name}\tid:{user.id}")

        # list files in parent folder
        items = client_as_user.folder(CFG.PARENT_FOLDER_ID).get_items()
        print_items(items)

    if __name__ == "__main__":
        main()
        print("\n")
        print("-" * 80)
        print("All Done!")

    This will show you the service user (JWT app):

    Current User: UI-Elements-Sample        id:20344589936

    The list all users visible to the service user (JWT app)

    User: Administrator     id:18662105676  login:AppUser_1715931_Il2dcyHuqu@boxdevedition.com
    User: Administrator     id:18662356345  login:AppUser_1715931_vt8XOps1Ff@boxdevedition.com
    User: Administrator     id:18661971368  login:AppUser_1715931_xSifhdw6W7@boxdevedition.com
    User: Investment User   id:22240548078  login:barduinor+inv@gmail.com
    User: Wealth User       id:22240405099  login:barduinor+we@gmail.com
    User: Wholesale User    id:22240545678  login:barduinor+wh@gmail.com
    User: Rui Barbosa       id:18622116055  login:barduinor@gmail.com

    an then list the service user (JWT app) contents of its root folder (0):

    Type    ID      Name
    ----    --      ----
    folder  177388203339    100k
    folder  198947288178    aaaa
    folder  172599089223    Bookings
    folder  163422716106    Box UI Elements Demo
    folder  189803765719    ClassificationService
    folder  198775845609    JWT Folder for UI Sample Apps
    folder  172611202270    My Signed Documents
    folder  198948099055    Shared with RB
    folder  170845975022    Waivers
    folder  176837925976    Webhook

    However I'm interested in impersonating 18622116055 (Rui Barbosa), and that is what the below code does:

    # client impersonating a user
    client_as_user = get_box_client(as_user=True)

    with this method:

    def get_box_client(as_user: bool = False):
        """get a box client"""
        auth = JWTAuth.from_settings_file(CFG.JWT_CONFIG_FILE)
        service_client = Client(auth)
        if not as_user:
            return service_client
        user = service_client.user(CFG.AS_USER)
        return service_client.as_user(user)

    Then when I ask who is the current user of the app, it becomes:

    Current User: Rui Barbosa       id:18622116055

    And then I can list all his root files as if he is logged in:

    Type    ID      Name
    ----    --      ----
    folder  172759373899    Barduino User Folder
    folder  172599089223    Bookings
    folder  162833533610    Box Reports
    folder  163422716106    Box UI Elements Demo
    folder  191176042455    Bulk Upload
    folder  189803765719    ClassificationService
    folder  195808887286    Customers
    folder  199899255193    Exact Match
    folder  185583279315    Internal Only Folder
    folder  184121760895    it@plastimould.com - Managed User A's Files and Folders
    folder  184901009434    malware-test-files
    folder  191494027812    Media Samples
    folder  156592455267    My Box Notes
    folder  157064745449    My Sign Requests
    folder  157065079893    My Signed Documents
    folder  165803865043    Preview Samples
    folder  172796453399    Shared Folder Public
    folder  172797684789    Shared Folder Test
    folder  172800574368    Shared with JWT
    folder  198948099055    Shared with RB
    folder  169427162522    UI Elements Demo
    folder  199908799409    Uploads
    file    1010742636771   This is a box note.boxnote
    web_link        22625801630     Shared Folder - GBP Order Forms

    Of course this also depends on how your JWT app is configured.

    Hope this helps, let us know.

    Best regards

    Terms of ServiceAccessibility statement