Skip to main content
Question

Unexpected access token restrictions

  • May 22, 2025
  • 2 replies
  • 59 views
C
Forum|alt.badge.img

Hi,

Context

I am developing a custom app (client_id: 8zymxbbyb908n7nmhntdchh3nwi7u3o5), which is supposed to open a file for commenting etc, only using the box API. The service itself, including the oauth2 flow, is setup and seems to work properly.

Problem

When testing the app through typing this URL:

https://account.box.com/api/oauth2/authorize?response_type=code&client_id=8zymxbbyb908n7nmhntdchh3nwi7u3o5

box is prompting for a lot of permissions – see picture 1 – and everything seems to work well. The access token JSON returned has no attached restricted_to info.

BOX1_LdtmvZFZNSDlUkDmcKi16A.png

Picture 1

However, when testing the app through right-clicking a file in box.com, Box only asks for "Read from file my file.mp4" permission, see picture 2.

BOX1_W-cTsA_AVlh45TxSoOWNaA.png

Picture 2

This results in an access token with this attached object:

"restricted_to": [
    {
        "scope": "item_read",
        "object": {
            "type": "file",
            "id": "815440821742",
            "file_version": {
                "type": "file_version",
                "id": "873148946542",
                "sha1": "2c585f32ecd2c08c3f8541901d49ed9893cc8f17"
            },
            "sequence_id": "1",
            "etag": "1",
            "sha1": "2c585f32ecd2c08c3f8541901d49ed9893cc8f17",
            "name": "my file.mp4"
        }
    }
]

causing a 404 when asking to read the file's /tasks. /comments works for some reason.

Interestingly, the scope "item_read" is not listed as one of the possible scopes in the API docs: https://developer.box.com/reference/resources/access-token/#param-restricted_to-scope


My guess is that these two different ways to start the app gives different scoped access tokens.

My question is how to give my app a token that allows reading and writing comments and tasks, when launching by right-click and the Integrations menu.

I also attach some screenshots of app settings and integration settings (pictures 3 to 6).

Any help or clue is welcome!

Best regards,

Olov

BOX1_vb7ombSe58WhWmOl61R-Bg.png

Picture 3

BOX1_XGLP3Ff4aK_D79QDl1uZ9Q.png

Picture 4

BOX1_hUa7yxF05EZ__hrwUVIO-g.jpeg

Picture 5

BOX1_nA8YwmE_Z3BT475BNPwVqw.jpeg

Picture 6

    2 replies

    C
    Forum|alt.badge.img

    One thing I discovered is that if I remove the #auth_code# query parameter in the integration (picture 1) and makes the frontend app redirect to this URL when missing an auth_code:

    https://account.box.com/api/oauth2/authorize?response_type=code&client_id=${clientId}&redirect_uri=https://box.mydomain.dev

    the user will be asked to give more privileges to the app and a new code will be sent received by the frontend app, hence getting /tasks will work. However this means that the user will be prompted about app access two times (picture 2 and picture 3), which seems wrong.

    So, the question remains for me; how do we get box to ask for enough permissions when right-clicking a file and open in our integration!

    Thanks in advance :)

    Olov

    BOX1_r7fcRtPpK02bYFIRx2Gb5w.jpeg

    Picture 1

    BOX1_jGku8cRaRQzVxOcb6He-eg.jpeg

    Picture 2

    BOX1_x8k3E-IjZoZ2waEiWVieOw.jpeg

    Picture 3

    C
    Forum|alt.badge.img

    Hi again! Anyone having a clue about this? Any input is welcome :)

    Terms of ServiceAccessibility statement