My app will be used by other Box customers to access their files. I am testing the custom app authentication options that will allow my app to access every user's files within an enterprise account. I created a "Server Authentication (Client Credentials Consent)" app registration and consented to the app from two different Box accounts (e.g. "A" and "B"). I found that it is possible for account "A" to access the files in account "B" by specifying the enterprise ID for account "B". Is there no way to use the same app registration for multiple Box accounts? What is the recommended practice to build a "multi-tenant" application?
Question
Server Authentication usage
Hey Steve,
When you create a grant using client credentials grant, a service account user is created as soon as the app is authorized in the Admin Console. When you specify the enterprise ID in the grant, you'll obtain an access token for this user by default. A service account will be created for the app in each EID the app is authorized in. You will not be able to access content in a non-managed user's account (aka a user in another enterprise).
Hope that helps, but let me know if you have any questions!
Best,
Kourtney, Box Developer Advocate
Kourtney,
If you change the enterprise ID to another Box account that has also authorized the app, you can see their content without knowing their login credentials. We tested this and was surprised that it was true.
Steve
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.