JWT token - does not access BOX account

Is your app "As-User" enabled?

Hi kendomen

Thanks for reply

Good question.

To eliminate app permission being the issue I have checked that and every permission. I tried creating app users and using their tokens also without success.

Below settings, all checked

Content
	Read and write all files and folders stored in Box

Enterprise
	Manage enterprise
	Manage users
	Manage app users
	Manage groups
	Manage enterprise properties
	Manage retention policies
	Manage webhooks v2

Select the set of scopes you will request users authorize when using your app
	Advanced Features: 	Perform actions on behalf of users
	Generate access tokens for users 

Have you authorized the jwt app ?

Also a good thought. I checked and it was authorized. I reauthorized and tried api calls and same issue

https://www.screencast.com/t/kR7g394rRQ

BTW the working developer token is generated in the app settings ... so that leads me to believe that it IS using that app... and working. However when I use the JWT it fails.

Good afternoon kp,

I would tell that given that you do not receive an error but an empty array of results mean that everything is correctly set up.

So... where is your problem? Basically, I think that it is related to the user you are using or the authentication method. There are the Enterprise and the User authentication modes. I understand that you are using the second one with a technical user, is that right? The technical user is assigned to any of folder where you want to find content? If the user is not added as a previewer at least no result will be found.

Thanks

I think that would perfectly explain the behavior.

I am using OAuth2.0 with JWT - so I tried the enterprise user ... box_sub_type=enterprise and tried box_sub_type=user.

How would I assign the app user or app any permissions to any directory?

Hello kp,

basically, if you have created an APPUser will have an ID that is an autogenerated mail like this one: 

AppUser_000000_j0f0Z0RAS4 (at) boxdevedition (dot) com

That mail can be used as any other user, so you go to any folder with your account, click add collaborator and paste that mail account with the desired privileges. That user has to be able to do any action is allowed to then.

Hope this helps.

Hallelujah that works - thanks!

I really don't understand though how this is meant to work. The api does not let you assign permissions to the objects in the BOX account itself. So you would have to either make the user load stuff through your api itself to ever access it... or workaround the process itself by creating the app user and adding that user to the folders you want in scope.

Do you know if there is a way to just add the app itself vs app user - as collaborator? Or add a group (as collaborator) then add the user to the group?

Hello Kp!

I am glad that we hit the right key 😉

I understand that there are two ways to face this situation as you said:

- The app user is the one with the control. So, with this user you create folders and invite collaborators with different roles, being the APP User the Owner of those folders.

- The app user has to be invited because it is not the owner. As you said, you can add the appuser on a group and then as any other user this will have access only to what has to have access. 

Probably, the real situation can end on a hybrid situation. 

I think that what really matters on this aspect is this piece of configuration:

If the application has enterprise access then can access everything in theory.

If you have chosen Application then it behaves as a regular user: can create stuff on its own account but has to be invited to do things on folders of others.

Regards

Just to add... I thought some of these ideas were a strange way to manage permissions... since it ignored the ACL and permissions already in BOX.

A BOX support person suggested add As-User header https://docs.box.com/reference#as-user-1 .... which turns out is exactly what I need here.

1. Generate the token using the "box_sub_type=enterprise"
2. Assuming that your app is being used by BOX user... and you know which user that is - get that user's id
3. Make calls (where needed) using that users id in the As-User header

The api will use the already established BOX file permissions.

I have tried this approach and hit a wall, my Application access is set to Enterprise, my code sets the 'box_sub_type' property to 'enterprise' I have also authorized the app on Entreprise settings with all permissions, but everytime I set the header  'As-User:xxxxx' I get the error

Bearer realm="Service", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token."

if I don't set the header then I get and empty list of folders.

The accepted answer is ok, I haven't tried it as yet mainly because I think your solution should be the correct one.

Do you have any suggestions on what else can I try?

Kind Regards

 After updating application's permissions, did you re-authorize the application within the admin console? 

Hi loCortes,

Can you please suggest me the way to create an user and link to the app. i couldn't re authorize the app. and i couldn't access the files within box account. please help us.