Welcome to the new Box Support website. Check out all the details here on what’s changed.

Box Status

Providing API key to 3rd parties to authorize the application

Follow
New post
AlexYar

Dear Community

 

In order to authorize new app under "custom applications" I need to provide the application clientId to some 3rd party company. Our security department told me that we can not share any client id (even it's only some kind of username). Is there any other option (like application id) or whatever we can safely give to 3rd parties to whitelist our application?

 

Thanks

Alex

0

Comments

1 comment

Date Votes
  • Kourtney

    Hello, 

     

    Thanks so much for using our Platform and Development forum. 

     

    All API calls require the user to have a token. To obtain a token you need four parameters:  (https://developer.box.com/v2.0/reference#token)

    • Grant_type
    • Code
    • Client_ID
    • Client_Secret

     

    A malicious actor would not be able to obtain a token if any of the four parameters above are missing.

     

    The most someone could do with a client ID is:

    • Initiate the authentication flow, but not complete it due to the aforementioned. 

    I would recommend sharing the full oauth2 specification (https://tools.ietf.org/html/rfc6749) with your security department. 

     

    The client id is necessary in order to whitelist an application in the admin console and there is no alternative. 

     

    Best, 

    Kourtney 

    0
    Comment actions Permalink

Please sign in to leave a comment.