Skip to main content
Question

Confused regarding OAuth2 or Oauth with JWT, and restricting access to user

  • May 22, 2025
  • 2 replies
  • 60 views
C
Forum|alt.badge.img

I've scoured the forum for a bit and am still not quite sure if what I'm trying to do can't be done or if I'm simply confused.

 

Here is my scenario:

 

  • We have a user (UserX) in Box we created specifically to present folders to users and own an API app - like a service account.
  • Employees will drop files into UserXs folders. The sole purpose of UserX is for use to create folders other people will add folders to, either manually or via email attachments.
  • We would like to then use the API to pull those files programmatically and do something with them.
  • I'm currently authenticating via OAuth 2.0 with JWT. 

Our code/app should ONLY be able to access the UserX account, and it needs to be able to get to the folders visible in the console.

 

My understanding is that Application Access type 'Application' only deals with the backend service account, and that it's not possible via Access type 'Enterprise' to restrict the use of the 'as is' header. 

 

In a nutshell, I need our app to only have access to the UserX folder set. Is this something I can accomplish using the Standard OAuth 2.0 instead of using OAuth with JWT?

 

Ideally, it would rock to be able to approve an app for a set of folders/users etc, especially since the JWT portion just feels cleaner to code with, but this is all fairly new to me. Sorry if this is a repeat, and any help would be greatly appreciated!

 

    2 replies

    C
    Forum|alt.badge.img

    Hi ,

     

    This is a great question! What you're looking for is probably best done via Server Authentication (OAuth2 with JWT), using Application Access. 

     

    If you were to restrict access on Box side of things via Developer Console Settings, only Server Auth restricts a particular app (Client ID) to make calls for:

    1. Its Service Account, created when the app is authorized in the Admin Console
    2. Its App Users
    3. and no one else

    On the other hand, if you were to use Standard Authentication, there's not a way to restrict (whitelist) which users can get access tokens with your App when using Standard OAuth2. 

     

    One note that might help you here is the fact that there's two things that Box always checks for access:

    1. The App's scopes (users/files/folders/enterprise settings/etc)
    2. The User's "Point of View" with respect to collaborations

    You don't necessarily have to restrict everything from the App's side of things via scopes. Your Service Account/App Users will have their own access control based on their collaborations, and taking advantage of the ability to have multiple users is the recommended way to handle permissions. For example, if you created an App User under the Service Account (generally best practice to not use service accounts for storage), that app user would only ever have access to its own folder structure, and your application's code (using the client ID configured on Box to be restricted to Application Access only) would only ever have access to get tokens for your app user. 

     

    Hopefully that helps and enlightens things some!

     

    Thanks,

    Jason

     

    C
    Forum|alt.badge.img

    Very helpful, as I was fairly certain I understood application permissions, but your answer helped me dive in a bit deeper and code up some tests to verify that collaborative permissions rule in the end. Thanks again!

    Terms of ServiceAccessibility statement