JWT access token is not working to load root folder of Box

Hi Justin, 

I assume you are talking about this repo on Github. 

I just tried downloading and using the code for the node sample. It worked for me. Did you make any changes to the code? Can you share the error you are seeing? 

Thanks, 

Alex, Box Developer Advocate

Thanks for your response.

I can generate access_token with node sample of  this repo which you said.

I am using Firebase function to make backend api as the following;

const functions = require("firebase-functions");

const express = require('express');

const app = express();

const admin = require('firebase-admin');

admin.initializeApp();

const fs = require('fs')

const crypto = require('crypto')

const jwt = require('jsonwebtoken')

const axios = require('axios')

const querystring = require('querystring');

const config = JSON.parse(

fs.readFileSync('config.json')

)

function apiResponseData(bResult, msg, errType) {

constrepData = {

'status':bResult,

'result':msg,

'errorType':errType

};

returnrepData;

}

// Get Access Token of Box

app.get('/boxToken', async (req, res) => {

letkey = {

key:config.boxAppSettings.appAuth.privateKey,

passphrase:config.boxAppSettings.appAuth.passphrase

}

console.log('config', config)

// We will need the authenticationUrl again later,

// so it is handy to define here

constauthenticationUrl = 'https://api.box.com/oauth2/token'

try {

letclaims = {

'iss':config.boxAppSettings.clientID,

'sub':config.enterpriseID,

'box_sub_type':'enterprise',

'aud':authenticationUrl,

// This is an identifier that helps protect against

// replay attacks

'jti':crypto.randomBytes(64).toString('hex'),

// We give the assertion a lifetime of 60 seconds

// before it expires

'exp':Math.floor(Date.now() / 1000) + 60

}

 

letkeyId = config.boxAppSettings.appAuth.publicKeyID

 

// Rather than constructing the JWT assertion manually, we are

// using the jsonwebtoken library.

letassertion = jwt.sign(claims, key, {

// The API support "RS256", "RS384", and "RS512" encryption

'algorithm':'RS512',

'keyid':keyId,

})

console.log('assertion: ', assertion)

// We are using the excellent axios package

// to simplify the API call

letaccessToken = awaitaxios.post(

authenticationUrl,

querystring.stringify({

// This specifies that we are using a JWT assertion

// to authenticate

grant_type:'urn:ietf:params:oauth:grant-type:jwt-bearer',

// Our JWT assertion

assertion:assertion,

// The OAuth 2 client ID and secret

client_id:config.boxAppSettings.clientID,

client_secret:config.boxAppSettings.clientSecret

})

)

// Extract the access token from the API response

.then(response => response.data.access_token)

 

returnres.status(200).json(apiResponseData(true, accessToken, 0));

} catch(error) {

console.log('Error get /getToken = ', error.message);

returnres.status(500).json(apiResponseData(false, error.message, 4));

}

});

exports.widgets = functions.https.onRequest(app);

So I can get access_token with that api.

my api endpoint:

GET: https://us-central1-uvceed-ab506.cloudfunctions.net/widgets/boxToken

so I tried to load root folder with access_token(result) coming from api.

Box API to load root foloer

https://api.box.com/2.0/folders/0/items?fields=modified_at,name,extension&usemarker=true

but If I use developer_token, I can see my items in root folder.

So I am guessing my account configuration is wrong. could you check? I shared client_id, client_secret, user_id, etc above.

Here is config.json

{

  "boxAppSettings": {

    "clientID": "2xbr8cf7p0xyu7n4xzc5qu0nv2sr6xor",

    "clientSecret": REDACTED,

    "appAuth": {

      "publicKeyID": REDACTED,

      "privateKey": REDACTED,

      "passphrase": REDACTED

    }

  },

  "enterpriseID": "843092337"

}

when I log assertion, It looks like it's getting well. 

Thanks

Thanks for the additional information. 

This is happening, because the developer token is tied to the user account that requested the token, in this case info@uvceed.com.

When you used the node token generator, it is creating a token that is tied to the service account of the application you created. They are different users, and as such, have different content. You aren't getting results, because the service account doesn't own anything. 

You can read more about the service account user type here. 

Hope this helps.