Accessing external folders

Highlighted
Occasional Contributor

Accessing external folders

We have an external folder that is being shared with us that we want to synchronize with using APIs.

 

I'm trying to figure out the best workflow to make this work.

 

I've tried:

- App Token: so this worked well in a test environment. I was able to share the folder with the "Login" of the app and was successfully reading the folder contents. The problem we ran into was when we asked that folder to be shared with our app, we found out that the company has Custom ToS and thus I was unable to accept those ToS on behalf of the app.

- JWT: unable to view contents that is not owned by the user I am impersonating (using as-user)

- OAuth: that works, but we would literally have to persist the token and refresh tokens

 

Isn't there a better workflow than this that has more longevity and does not need tokens to be refreshed?

9 REPLIES 9
Highlighted
Box Employee

Re: Accessing external folders

Hi @mny79, I'd stay away from the App Token and consider JWT or OAuth instead. 

 

The first question I'd try to answer is: "who" are you syncing this content for. If it's a real human being then I'd recommend they authenticate with OAuth 2.0 and you sync the files on their behalf using their own credentials. And yes, this does mean keeping the access token and refresh token fresh.

 

If you are instead syncing behalf of the enterprise or a service, and not a specific human Box user, then you should instead look into JWT. There are 2 ways to act on behalf of users with JWT. One is to use the `As-User` header (which you noticed doesn't work with external links), the other is to use JWT to create a `User Access Token`. 

 

https://developer.box.com/guides/authentication/jwt/user-access-tokens/

 

This method creates an access token / refresh token for the targeted user directly, rather than creating a service account access token and then using a header to act on behalf of another user.


---
Developer Advocate @ Box
Highlighted
Occasional Contributor

Re: Accessing external folders

@cbetta thank you for the response!

 

I am synching files on behalf of the enterprise.

 

To give more context, those files are CSV files that the App would essentially retrieve, parse, and update our Database.

 

That is the reason why I stayed away from OAuth 2.0.

 

I have been able to get one of your suggestions going: creating a "User Access Token" with JWT. The problem with that approach is that the app needs to be granted enterprise level access which is a really big scope. In other words, our app would be able to impersonate any users in our Box account when we only need it to impersonate only 1 user (the one that this external folder has been shared with.)

 

I have not been able to get the As-User working with JWT authentication, but will give it another go. I either got forbidden or not found errors. Even if that works, I assume the app will still need the same "enterprise level" access, is that correct?

Highlighted
Box Employee

Re: Accessing external folders

@mny79 I understand your problem. You want to act on behalf of the enterprise, but only access one user's files. To do this I'd recommend going a slightly different route: inviting the service account of your JWT app as a user on the folder that will contain the files.

 

By sharing the folder with the JWT app's service account you don't actually need to act on behalf of any user, instead you just access files the JWT app has been explicitly invited to. Would that work?


---
Developer Advocate @ Box
Highlighted
Occasional Contributor

Re: Accessing external folders

@cbetta so this is the same approach I tried when I used the App Token method. I'll explain the workflow so please correct me if I am doing anything wrong.

 

  1. I used the endpoint https://api.box.com/2.0/users/me to expose the Login of the app (an email like identity that ends in boxdevedition.com)
  2. I request the external organization to share their folder with that Login

Now this worked perfectly when testing using an account that did not have Custom Terms of Service, but the organization that is sharing their folder with us has Custom ToS enabled.

That blocks the app from accessing the folder until accepting the ToS. I was not able to get the tos_id with App Token

 

Now, with the JWT approach:

  1. Same thing as above, I get the Login value for the service account using the https://api.box.com/2.0/users/me endpoint
  2. I share the folder from an external Box account (a dummy account I created to reproduce architecture) with that Login
  3. I do see the pending invite using the https://api.box.com/2.0/collaborations?status=pending endpoint
  4. I do see the terms of service id for that collaboration using https://api.box.com/2.0/collaborations/xxx?fields=acceptance_requirements_status -- this is actually a step further than I got using App Token as it wouldn't return the tos_id but with JWT, it does
  5. I get an invalid user when attempting to create new ToS status for the service account using https://api.box.com/2.0/terms_of_service_user_statuses (invalid value 'xxx'. 'user' with value 'xxx' not found) where xxx is the id of the app I got from getting the current user info endpoint

And that's as far as I get

Highlighted
Occasional Contributor

Re: Accessing external folders

@cbetta just to add to my previous message.

 

So I tried yet another approach that got me one step further but still fails:

  • Created an App User (instead of using service account)
  • Share external folder with new App User
  • App User is able to see the pending collaboration
  • App User is able to see the requirements for collaboration
  • The App is able to accept the Custom ToS for App User using the "As-User" header for App User ID (this is new)
  • BUT App User fails the "user_has_two_factor_authentication_enabled" requirement, and thus unable to accept the pending collaboration of an external folder

Any help would be greatly appreciated. Thank you!

Highlighted
Box Employee

Re: Accessing external folders

Ok in that case we have one final option I think: you create a managed user in your own enterprise instance and use your app to act on their behalf (this should work on enterprise level because it is in your own org, and you can accept the T&C in that case, as well as set up 2FA). 


---
Developer Advocate @ Box
Highlighted
Box Employee

Re: Accessing external folders

One additional option would be to put things on its head, and instead have your app user share a folder they own with the managed user in your external enteprise.


---
Developer Advocate @ Box
Highlighted
Occasional Contributor

Re: Accessing external folders

Hi @cbetta thank you for all of your help.

 

The second option would have probably worked best.

 

In the end, the way we solved this was by having the App live on its own Box account with enterprise access. Since there's only 1 user, there's no longer that security concern that it can have access to all the users in our org.

 

The external organization shared their folder with that 1 user, the App impersonates it and has access.

 

Thank you!

Highlighted
Box Employee

Re: Accessing external folders

That works great too, especially if you only have one client to work with. If you had multiple enterprises you had to sync with this could get rather costly.


---
Developer Advocate @ Box