I was testing JWT authentication using my sample console app and at some point I realized that my access tokens are not being expired. I thought they should expire after 60 minutes.
For my surprise, later I discovered that I can pass ANY text as token and it still works. Is it because my app is created within the same Enterprise it tries to access? Why it works with any string?
Sample code
// Read the config with client id, secret, public/private keys from the JSON file
IBoxConfig config;
using (var configStream = File.OpenRead(configJsonPath))
config = BoxConfig.CreateFromJsonFile(configStream);
// Authentication code
xJWTAuth boxJwtAuth = new BoxJWTAuth(config);
//string adminToken = boxJwtAuth.AdminToken(); // COMMENTED OUT!
string adminToken = "ANY STRING"; // WHY THIS WORKS?
// Retreive the list of users - works!
BoxClient adminClient = boxJwtAuth.AdminClient(adminToken);
BoxCollection<BoxUser> boxUsers = adminClient.UsersManager.GetEnterpriseUsersAsync().Result;
With JWT authentication any token grabs data from my Enterprise account
I dug sources and at this point it seems to me that SDK itself takes care of getting the token if you pass a wrong token.
if (boxResponse2.Status == ResponseStatus.Unauthorized)
boxResponse2 = await this.RetryExpiredTokenRequest<T>(request).ConfigureAwait(false);
RetryExpiredTokenRequest method seems to get the token for me.
Does it mean that if we grab a token once and do not update it for the lifetime of the application
1. My old token will work forever if I'll use SDK methods.
2. My old token will work as designed for the first 60 minutes.
3. After 60 minutes everytime we will make a request with the old token, we will end up with doing 2 requests - first request will fail, SDK will grab a fresh token for each request and make another retry.
Dear Box Team can you confirm if my assumption is correct?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.