"as-user" Header throws "403Forbidden" in OAuth2.0/Custom-Application/Web-Integration

General
1

Context:

  1. We are actively builidng a Box Integration.
  2. Developed a custom-application to use Authentication as OAuth2.0, Created a web-integration to “Process the File”
  3. We use the Auth-Code received from Web-Integration to get the DownloadURL for the file.
  4. We are not storing each user’s access-token in our database. Instead, we are authorising Admin/Co-Admin and store’s his/her AccessToken/Refresh Token.
  5. After Processing the file-content asynchronously, we need to upload a new version of the file later.
  6. We are using the Admin/Co-Admin access-token stored in our database to initialize the Node-SDK and upload the file version.

Problem:

  1. When we try to Upload the file, We started getting error - “404 Not Found

    Screenshot 2024-05-28 at 7.25.28 PM
    Screenshot 2024-05-28 at 7.25.28 PM1920×1598 120 KB

  2. After some reading, We understood the issue is because we are using a different user’s token. and Tried the “AS-USER” header to solve this problem.

  3. Unfortunately the new Request throws “403Forbidden

    Screenshot 2024-05-28 at 7.26.16 PM
    Screenshot 2024-05-28 at 7.26.16 PM1920×1085 79.3 KB

Why the “as-user” header is not working for us?

Note:

  1. I have enabled the use “as-user” option in app settings.
  2. Also enabled “manage-users” permission in app settings.
    Screenshot 2024-05-28 at 7.31.34 PM
    Screenshot 2024-05-28 at 7.31.34 PM1920×1123 65.2 KB

Thanks, Sarin

2

Hi @sarin-vt

With the information you sent us, it should work fine.

Assuming the access token has been granted to the Admin/Co-admin user, obtained after you set the Make API calls using the as-user header.

To exemplify:

curl --location 'https://api.box.com/2.0/users/me?fields=id%2Ctype%2Cname%2Clogin' \
--header 'Authorization: Bearer pi...ux'

Returns:

{
    "type": "user",
    "id": "18622116055",
    "name": "Rui Barbosa",
    "login": "barduinor@gmail.com"
}

With the as user:

curl --location 'https://api.box.com/2.0/users/me?fields=id%2Ctype%2Cname%2Clogin' \
--header 'as-user: 22240545678' \
--header 'Authorization: Bearer pi...ux'

Returns:

{
    "type": "user",
    "id": "22240545678",
    "name": "Wholesale User",
    "login": "barduinor+wh@gmail.com"
}

Notice the same bearer token is being used.

See if in your use case the call to the /users/me endpoint can help you diagnose the issue.

3

Hi @rbarbosa,

Thanks for your quick response. I just tried the curl example you posted above.
Without as-user header, I received the user details as expected, but I am getting an empty response, when I add the as-user header.

With Postman and Node-Sdk, I was getting 403 errors.

Screenshot 2024-05-28 at 10.49.52 PM
Screenshot 2024-05-28 at 10.49.52 PM3024×836 446 KB

Can you check if i am missing something in my application or authentication types.??

Also I found this post in StackOverflow - box api - Using As-User in Box Request - Stack Overflow, which says We need approval from BOX to use the as-user header.

Thanks, Sarin

4

Hi @sarinvt

I’m sure I’m missing something obvious here…

The users that you are trying to impersonate with the as-user header, what type of users are they, are they human (AKA managed users), app users, service accounts perhaps?

if you do something like this using your as-user users ids, what do you get?

curl --location 'https://api.box.com/2.0/users/22240545678?fields=id%2Ctype%2Cname%2Clogin' \
--header 'Authorization: Bearer 4T...UzJ'

Example of a managed user:

{
    "type": "user",
    "id": "22240545678",
    "name": "Wholesale User",
    "login": "barduinor+wh@gmail.com"
}

Example of a service account:

        {
            "type": "user",
            "id": "18662356345",
            "name": "Administrator",
            "login": "AppUser_1715931_vt8XOps1Ff@boxdevedition.com"
        },

Example of an app user:

        {
            "type": "user",
            "id": "29598609450",
            "name": "Test APP User",
            "login": "AppUser_1841316_GlefZmyT1g@boxdevedition.com"
        },

As for the stack-overflow note, it’s from 2016…
I use the free developer account to do these tests and I was not required to send any email to enable the as-user.

This is how I have my application configured:

image
image4064×2334 428 KB

image
image3976×2246 418 KB

image
image3976×2246 403 KB

No Web App integration:

image
image3976×2246 326 KB

Do you have a single application configured, OAuth 2.0 + Web app integration or 2 distinct apps created, one for your Admin/co-admin and another for the web integrations?

5

Hi @rbarbosa

  1. The user an try as-user is a normal human user., with Role - Member, I just ran the curl to get user details and copied the response below.
{
    "type":"user",
    "id":"340.....7",
    "name":"Aarya",
    "login":"aarya@fe...re.com"
}
  1. I used the curl command again for /users/me and copied the response below,

This returned my user details as expected. My account’s Role - “Co-Admin”.. I used my account to authorize box and saved the AccessToken and Refresh token in database. My AccessToken is being used to access all these APIs.

{
     "type":"user",
     "id":"337...3",
     "name":"Sarin VT",
     "login":"sarin.vt@fe...re.com"
}
  1. I have a single application configured, OAuth 2.0 + Web app integrations, and My configurations looks same yours.

I hope the above details help you figureout the issue.

Thanks, Sarin

6

Hi,

Well, it seems those are normal, human users.

Can you experiment by creating a new temporary OAuth 2.0 application, without the web integration part, to see if the as-user works as expected?

7

Hi @rbarbosa,

Just to give you an update. For the same application, when I used the “developer token”, I am able to work with “as-user” headers.

Screenshot 2024-05-29 at 12.03.58 AM
Screenshot 2024-05-29 at 12.03.58 AM3010×678 412 KB

Thanks, Sarin

8

Hi @rbarbosa,

As you suggested, I just created a new “Test App”.
Generated new access-token using - new App’s clientId and Secret.
I haven’t configured any Web-Integrations in this application.

I am still facing same error, When I add as-user header it returned empty in curl.
Without as-user it returned my account details as expected.

Thanks, Sarin

9

That is an interesting data point.

When you create a developer token in the developer console, the underlying security context is the same as the user logged into box.com.

However from your screen shots it seems to be the same user (sarin_vt@…) as the other tests that do not works.

At this point we are spinning out wheels.

I see 2 options here:

  • create a support ticket
  • we jump on a call an try to diagnose this further.

If you want to explore this route, I’m on EST (UTC-4), could you send me a private message with your email and availability for the next few days?

10

Hi @rbarbosa , Thanks for you quick response.

This is urgent and high priority for us. I am on IST, but I can make myself available at your convenient time.

Thanks, Sarin

11

Thanks, @rbarbosa for helping me resolve the issue.

Even though I enabled all required permissions on the application level to enable the as-user header, I was not providing “manage-users” permissions while constructing the Authorization URL.

Removed the scopes parameter from the authorization URL and that will take application default permissions for the generated token.

This change resolved my issue.

Thanks, Sarin

12

Great talking to you @sarin-vt !

Good luck for the project!

1 Like
13

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.