Skip to main content
Question

Can't Get Parent of Collaboration File After Token Refresh

  • May 21, 2025
  • 2 replies
  • 54 views
C
Forum|alt.badge.img

I have two Box users. Box user A creates a folder and a document within that folder and adds Box user B as a collaborator on the folder.

 

I then grant access to user B's Box account to my application. The resulting access token is token 1. Using token 1, I can query for the file info for the file that user B is a collaborator on. Notice that the json contains entries in the "path_collection" and the "parent" field is not null:

 

stephen@stephen:~$ curl https://api.box.com/2.0/files/removed for privacy98 -H "Authorization: Bearer "
{
  "type": "file",
  "id": "removed for privacy98",
  ...
  "path_collection": {
    "total_count": 3,
    "entries": [
      ...
    ]
  },
  ...
  "parent": {
    "type": "folder",
    "id": "removed for privacy0",
    "sequence_id": "0",
    "etag": "0",
    "name": "Inner"
  },
  ...
}

 

Now that I have verified that the parent is there, user B proceeds to use some functionality within my application that wants to look up the parent for a given file.

 

My application uses the Box Java SDK. The first thing that I notice is that the access token gets refreshed. We'll call this new token token 2. The second thing I notice is that my application fails because it couldn't find any parent information in the json it gets back from Box.

 

Log output from my application:

08:05:07,661 - Get user role for box file removed for privacy98 
08:05:07,661 - created boxFile 
08:05:07,661 - retrieving fileInfo 
08:05:08,277 - Refreshing Box access/refresh token for box user removed for privacy 
08:05:08,597 - getParent = None

Now, I try to do a manual cURL request again for user B with access token 2:

 

stephen@stephen:~$ curl https://api.box.com/2.0/files/removed for privacy98 -H "Authorization: Bearer "
{
  "type": "file",
  "id": "removed for privacy98",
  ...
  "path_collection": {
    "total_count": 0,
    "entries": []
  },
  ...
  "parent": null,
  ...
}

Why is the refreshed access token unable to retrieve parent information for the file? Box User B is still a collaborator on the file. Nothing has changed except for the access token. If I re-grant access and generate a completely new access/refresh token pair (we'll call it token 3), this new token 3 is able to get the parent for the file again.

 

Am I missing something? Are there some scopes that token 1 and 3 have that token 2 does not? Why does letting the Java SDK do its thing and refresh my token break my functionality?

    2 replies

    C
    Forum|alt.badge.img

    There is definitely something that isn't right here. The refreshed access token should have the same scopes as the original access token. And if a user is collaborated on a folder F, then it should be able to see that folder as the parent folder when querying any of its children.

     

    Here's some things to try / questions to answer:

    • Before and after the refresh, can you make an API call for /users/me, to check that the user is the same before and after the refresh?
    • Can you tell why the SDK is doing a refresh? The access token is supposed to be good for an hour.
    • After the refresh, can you do an API query to get the list of items in your root folder? If the path_collection is indeed empty, you should see the file in your root folder, you shouldn't be able to see the parent folders.
    • After the refresh, can you query the parent folder by its id? Can you see it, or do you get a 404? If you can see it, what happens if you query its list of items? Can you see the file?
    • What happens if you do the token refresh via curl? Using the new access token you got from curl, does the same problem occur?
    C
    Forum|alt.badge.img

    Before and after the refresh, can you make an API call for /users/me, to check that the user is the same before and after the refresh?

     

    I get identical JSON responses before and after the refresh.

     

    Can you tell why the SDK is doing a refresh? The access token is supposed to be good for an hour.

     

    In my experience, the Java SDK refreshes my token on the first request performed by a BoxAPIConnection object, no matter what. I strongly suspect this is a bug in the SDK, but I haven't had time to investigate the root cause yet.

     

    After the refresh, can you do an API query to get the list of items in your root folder? If the path_collection is indeed empty, you should see the file in your root folder, you shouldn't be able to see the parent folders.

     

    I can with the original token, but not with the refreshed token. I get a 403 with this error header:

    WWW-Authenticate: Bearer realm="Service", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token."

     

    This was a very revealing question. I think I found the root cause of my problem now. I recently modified the web action on my app to have Box provide an auth code query string parameter. I use this auth code to verify that I received an authentic Box request by exchanging it for a new access token. Apparently that token has very limited access to a user's data. I was accidentally overwriting the token I had stored in the database on my end with this new, limited access token, and this is why I was getting my original error.

     

    It may be interesting to note that, even after fixing this bug in my system, I am still observing the buggy SDK behavior where it refreshes my token long before it needs to. However, now, the newly-refreshed token has all of the scopes it should.

    Terms of ServiceAccessibility statement