Question

JWT service account: how to generate access tokens for individual user accounts

Forum|Forum|1 year ago
May 22, 2025
4 replies
63 views

community-manager
Box Employee

According to the docs, a service account allows to "generate OAuth 2.0 access tokens for individual user accounts, instead of going through the normal OAuth 2.0 flow."

I am unable to find any documentation on how to achieve this, i.e. given I've setup JWT authentication with the "generate access tokens" permissions, an enterprise admin has authorized my app, and there's a user account X belonging to that enterprise, I want to generate an access token that gives me files read/write access just for account X (so, identical to a user token that I would retrieve from account X if I had the account owner go through the normal Oauth2 flow)

I see there's a new "Tokens Exchange" functionality which I suppose I should use to get a properly scoped access token out of my service account token, but I see no way to specify the account that I want the new token to be valid for

C

community-manager
Author
Box Employee
Forum|Forum|1 year ago
May 22, 2025

Here's a java example for getting a managed user.

public static void main(String[] args) throws Exception {

        File keyFile = new File(PRIVATE_KEY_FILE);
        byte[] fileData = new byte[(int) keyFile.length()];
        DataInputStream dis = new DataInputStream(new FileInputStream(keyFile));
        dis.readFully(fileData);
        dis.close();

        String privateKey = new String(fileData);

        JWTEncryptionPreferences encryptionPref = new JWTEncryptionPreferences();
        encryptionPref.setPublicKeyID(PUBLIC_KEY_ID);
        encryptionPref.setPrivateKey(privateKey);
        encryptionPref.setPrivateKeyPassword(PRIVATE_KEY_PASSWORD);
        encryptionPref.setEncryptionAlgorithm(EncryptionAlgorithm.RSA_SHA_256);

        IAccessTokenCache accessTokenCache = new InMemoryLRUAccessTokenCache(MAX_CACHE_ENTRIES);

        BoxDeveloperEditionAPIConnection api = BoxDeveloperEditionAPIConnection.getAppEnterpriseConnection(
                ENTERPRISE_ID, CLIENT_ID, CLIENT_SECRET, encryptionPref, accessTokenCache);

        BoxUser.Info userInfo = BoxUser.getCurrentUser(api).getInfo();
        System.out.format("Welcome, %s!\n\n", userInfo.getName());

        Iterable managedUsers = BoxUser.getAllEnterpriseUsers(api, "ken.domen@nike.com");
        for (BoxUser.Info managedUser : managedUsers) {
            System.out.println(managedUser.getName() + " " + managedUser.getStatus());
            if (managedUser.getStatus().equals(BoxUser.Status.ACTIVE)) {

                // BoxDeveloperEditionAPIConnection. getAppUserConnection() is used to get AppUser or ManagedUser
                // in this example, I'm getting a managedUser (ken.domen@nike.com)
                BoxDeveloperEditionAPIConnection userApi = BoxDeveloperEditionAPIConnection.getAppUserConnection(managedUser.getID(), CLIENT_ID, CLIENT_SECRET, encryptionPref, accessTokenCache);

                BoxFolder boxFolder = new BoxFolder(userApi, "0");
                Iterable items = boxFolder.getChildren();
                for (BoxItem.Info item : items) {
                    if (item instanceof BoxFile.Info) {
                        BoxFile.Info fileInto = (BoxFile.Info) item;
                        System.out.println("\t" + item.getName());
                    }
                }
            }
        }
    }

Like

C

community-manager
Author
Box Employee
Forum|Forum|1 year ago
May 22, 2025

Um ok. I suppose if I dig into the Java SDK implementation I will find out how to construct the appropriate HTTP calls? And this snippet gets a personal user token out of a service account token right?