Providing API key to 3rd parties to authorize the application
Dear Community
In order to authorize new app under "custom applications" I need to provide the application clientId to some 3rd party company. Our security department told me that we can not share any client id (even it's only some kind of username). Is there any other option (like application id) or whatever we can safely give to 3rd parties to whitelist our application?
Thanks
Alex
-
Hello,
Thanks so much for using our Platform and Development forum.
All API calls require the user to have a token. To obtain a token you need four parameters: (https://developer.box.com/v2.0/reference#token)
- Grant_type
- Code
- Client_ID
- Client_Secret
A malicious actor would not be able to obtain a token if any of the four parameters above are missing.
The most someone could do with a client ID is:
- Initiate the authentication flow, but not complete it due to the aforementioned.
I would recommend sharing the full oauth2 specification (https://tools.ietf.org/html/rfc6749) with your security department.
The client id is necessary in order to whitelist an application in the admin console and there is no alternative.
Best,
Kourtney
Please sign in to leave a comment.
Comments
1 comment