No Files/Subfolders in Python JWT Authentication

Hello, all. Thank you in advance for the assistance. I am working on authenticating to box via JWT in python. I am currently authenticating like this:

auth = JWTAuth(
    client_id='<CLIENT ID>',
    client_secret='<CLIENT SECRET>',
    enterprise_id='<ENTERPRISE ID>',
    jwt_key_id='<JWT KEY ID>',
    rsa_private_key_file_sys_path='/Users/folder/private_key.pem',
    rsa_private_key_passphrase='<PASSWORD>',
)

access_token = auth.authenticate_instance()
client = Client(auth)

However, when I try and access my files in the box, I am not able to find any via code (even though there are certainly files in my account):

client.folder('0').get()

The interesting thing is that I am able to access all of the files and folders in my account if I use the development client, go into the developer console, and manually copy and paste an access token into the application:

from boxsdk import DevelopmentClient
client = DevelopmentClient()

I was curious if anyone had any ideas of how I could do this via the service account? The use case is that this code runs on a schedule without need for human intervention to grab files. I read some of the forums and it seems that the issue might be that the service account has a different file structure since it’s a different user? It seems odd that I could get to the files using the developer access token if that was the case. Not quite sure where to go from here, any suggestions/help would be very much appreciated.

Thank you!

As a side note, I tried next to 1) create a user, and 2) impersonate a user. However, I got permission denied for both. I went into the console and checked the boxes to “Make API calls using the as-user header” and “Generate user access tokens”. Then, I went to re-authorize my app, but when I clicked to re-submit for authorization, I got the lovely error message that an unexpected error occurred. I refreshed, closed out and re-entered, and tried reducing the new permissions I was requesting, but got the same error reach time. Any ideas here?

Hi @trevor , welcome to the forum!

You are on the right track.

When using a JWT or CCG application, Box creates a service account user, and default to that user.

You can check who by hitting the me end point. for example:

def main():
    auth = JWTAuth.from_settings_file(".jwt.config.json")
    auth.authenticate_instance()
    client = Client(auth)

    user = client.user().get()
    print(f"User: {user.id}:{user.name}")

The service account user is like any other user and content must be explicitly shared for it to access. This explains why you don’t see the same content on the root folder.
When you use the developer token, it is associated with the user who creates it, so you can see that user content.

I see that you are using the classic SDK, you should try the new Next Gen SDK.

For the classic SDK, login with user (requires the generate user access token):

app_user = service_account_client.user(user_id='APP_USER_ID')

app_user_auth = JWTAuth(
    client_id='YOUR_CLIENT_ID',
    client_secret='YOUR_CLIENT_SECRET',
    user=app_user,
    jwt_key_id='YOUR_JWT_KEY_ID',
    rsa_private_key_file_sys_path='CERT.PEM',
    rsa_private_key_passphrase='PASSPHRASE',
    store_tokens=your_store_tokens_callback_method,
)
app_user_auth.authenticate_user()
app_user_client = Client(app_user_auth)

Impersonate with the as-user header:

user_to_impersonate = client.user(user_id='USER_ID_GOES_HERE')
user_client = client.as_user(user_to_impersonate)

You are on the right track to have the service account impersonate or login as any user, however the error is unexpected. Is it persistent? Can you try again?

Let us know

Hello! Thank you very much for responding to my question. I am still seeing the same issue when I try to re-submit my app for approval. I have shut my machine down, refreshed the page, played with flipping on and off various permissions, etc, but still getting the same error. Any ideas? Thank you for the callout on the next gen SDK. I tried using the code that you sent over, but I got the error that InvalidGrant: Please check the 'sub' claim.... I’m guessing this is likely because my service account doesn’t have permissions to generate access tokens/users?

Thank you again for helping me out with this, it is very much appreciated!

@trevor , I’m going to ask you to submit a support case:

https://support.box.com/hc/en-us/community/topics/360001934573-Support-Forum

You need to be logged in into some box account to do this.

Hopefully this wont take long

@trevor ,

As a hail mary, would you mind trying to create another app from scratch, and see how that goes?

I was able to create a new app and have pushed it up for review.

Support said they could only help with logins without a paid support plan :cry:. Too bad, because I really do think this is a bug. Oh well… hopefully my new app will work instead.

Hi @trevor

Looks like you are unblocked and moving forward. Perfect!

You should be able to create a support ticket from the link I posted above, with or without a paid account.

I keep a personal free account to have the same experience as a developer rather than an employee. When I navigate to the link above and login with my free account I see this:

Click the new post button, to create a new support post.

Let us know if this helps

The new account was able to give me access to download the files. I am set now and can access what I need to. Thank you so much for your help!

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.