Hey,
Is it possible to downscope a full access token for a token that behaves as an other user in my enterprise? Kind of like the As-User header but built into a token.
The reason I ask is because I'd like to make app-user accounts that will become members of certain groups and I'd like to pass a token into Box UI Elements that would then display the root folder of these app-users with the correct collaboration folders & files visible.
Or is there a better approach that I missed in the docs?
I'm gonna rephrase for clarity:
A JWT access token seems to recognize me as my service account, now I'd like a token that recognizes me as if I were another user in the enterprise. Does something like that exist?
If it doesn't exist, what would be the best way to go about showing the root folder of an app-user in Box UI Elements? How do I even find the id of a user's root folder?
Totally!
The way to do this, is to instead of requesting a token for your "enterprise" (aka Service Account), to request one for your user. The general gist for that can be found here: https://developer.box.com/docs/work-with-users#section-generate-a-user-access-token
Let me know what language you use and I can share more details.
Hi
Wow, completely missed those, I was looking in the API reference 😉 I'm using PHP. Could you post an example curl request perhaps?
Hello! You can get a token for your user almost exactly the same way that you would get a token for your service account. The difference is that instead of passing in the string "enterprise" and an enterprise ID, you would pass in "user" and a user ID.
Are you using an SDK to generate your JWT assertion / token right now? Or are you doing it all manually?
You can see a manual example in PHP on this page:
https://developer.box.com/docs/construct-jwt-claim-manually#section-3-create-jwt-assertion
// We will need the authenticationUrl again later,
// so it is handy to define here
$authenticationUrl = 'https://api.box.com/oauth2/token';
$claims = [
'iss' => $config->boxAppSettings->clientID,
'sub' => $config->enterpriseID,
'box_sub_type' => 'enterprise',
'aud' => $authenticationUrl,
// This is an identifier that helps protect against
// replay attacks
'jti' => base64_encode(random_bytes(64)),
// We give the assertion a lifetime of 45 seconds
// before it expires
'exp' => time() + 45,
'kid' => $config->boxAppSettings->appAuth->publicKeyID
];
Where instead of filling in sub_type="enterprise" and sub=enterprise_id, you would fill in "user" and user_id.
In other words, the only change you're making is in the construction of the JWT assertion. The API call to obtain the token remains the same.
If you're using an SDK, it may prompt you just for those two variables (enterprise/enterprise_id or user/user_id), kind of like this example in our Node.JS sdk:
https://github.com/box/box-node-sdk/blob/master/docs/authentication.md#server-auth-with-jwt
var appUserClient = sdk.getAppAuthClient('user', 'YOUR-APP-USER-ID');^ for getting a user token
var serviceAccountClient = sdk.getAppAuthClient('enterprise', 'YOUR-ENTERPRISE-ID');
Finally, all of this assumes you have both:
Hope that helps! Ping back if you have q's or if that works!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.