I am trying to understand what is the intended use case for app auth and app users. Im basically thinking about building an app that would use Box to store data of users that would subscribe to our service. Our service would allow each user to access and view their data.
If I have an account that basically owns the data of all the subscribed users, can I use the enterprise access token as a base for authentication while using the user account token to restrict the user to only viewing the data from their specific sub directory. Or do I have to have a unique account with its own api key for every user?
I hope this makes sense. Any assistance would be appreciated.
Thanks.
App Auth and App Users -- which is officially called Box Platform -- is essentially a white-labeled version of Box. I think of it this way: "Box" as we know it is software-as-a-service. It offers a web app, mobile apps, and all the trimmings. Box Platform is the platform layer upon which the SaaS is built, providing API-based management of users/content/comments/collaborations/etc. With Box Platform you have a walled garden in which you can build apps that leverage all the features of the APIs, but are not otherwise "Box apps."
I'm basically thinking about building an app that would use Box to store data of users that would subscribe to our service. Our service would allow each user to access and view their data.
This is an appropriate use case. With Box Platform you will be the owner and administrator of a Box enterprise and all the accounts and data contained within.
If I have an account that basically owns the data of all the subscribed users, can I use the enterprise access token as a base for authentication while using the user account token to restrict the user to only viewing the data from their specific sub directory. Or do I have to have a unique account with its own api key for every user?
I think it's generally cleanest to create unique accounts for each user as opposed to giving users a special subdirectory in the admin account. From there you can use the App Auth workflow to get an access token specific to that user.
Related
I was asked by a potential client if I can have my software interact with Esri/ArcGIS Online.
Use case: users is logged into SomeRandomSoftwareApp and is looking at a Widget, this Widget includes an Esri asset id, the user clicks a link that passes that ID to Esri/ArcGIS Online and behind the scenes the user is logged into Esri and they see the data associated with the Esri/ArcGIS Online.
Thanks, Keith
If I understand correctly, you have two options for this: API Keys or Application Credentials.
The first one, is a permanent token generated by the owner of the data that will allow the application easy access to it. This is still in beta, and it was not ready for use the last time I check some time ago.
The second one, the owner of the data will generate credentials for your application. With this credentials you will have to request a token each time you want to access the data, all this via OAuth 2.0.
Check the docs for more details ArcGIS Services - Security
I was able to create a project to connect an app to google data, for a specific account (followed Google People API)
But now I would like that each customer log in hisself to his account and manage his data.
I can' t create project in the Google API Console for each customer, my app needs to read auth from each user who will use my app and "auto" create auth to read google contact data of the logged user.
Is possible?
Could you suggest me articles about how to do?
It sounds like you are trying to do exactly what OAuth 2.0 (see the page you linked to) gives you: authenticating users. This differs from using an API key, which is only authorizing your project and has nothing to do with a user's credentials.
OAuth 2.0 combines a Client ID (associated with your Google Developers Console project) and a user's login (specific to the user who is accessing your app/site) to give you an authorization token. This token will let your app act on behalf of that user when calling that API. Just make sure to request the necessary scopes as part of the OAuth 2.0 authorization prompt given to the user.
How to give this prompt varies by environment, but many common options are listed on that link.
Note that you always use the same Client ID, so you only need one Google Developers Console project, but you are given a unique token specific to that user's login when they authorize your app, so this lets you act as any user which grants your app access to their account.
We're trying to implement a Docusign integration for a multi-tenant cloud application (i.e. https://company1.app.com, https://company2.app.com, etc...).
The goal is to allow the tenant admin (our customer) to upload envelopes containing document templates for users to sign when they first login. Each tenant admin will have their own Docusign account/envelopes.
We've implemented a solution for this; however, it requires each tenant admin to create a separate Integration key and go through the process of promoting it to a live account. This is not scalable for us and some of our tenant admins are not tech people, so they have trouble setting this up.
Is there a way to implement the Docusign integration using a single Integration key (our key), but still have tenant admins login with their own Docusign account and upload their own envelopes?
I think you are building a Docusign User Application. You should use the OAuth2 auth flows instead of creating separate Integrator key for each tentant.
A user application is a client that authenticates every end user with DocuSign. These applications are typically web services, mobile applications, or desktop programs that authenticate individual users on the DocuSign platform. Once authenticated, users give consent for the application to display, send, or sign envelopes from their account. For user applications the OAuth2 auth flows are recommended.
A key issue that you may be missing is that your Integration Key works with any account. It is associated with your account just to manage it.
So as CodingDawg says, each of your customers can use your app by logging in with their own user credentials for their own account.
I am asked by my company to do a Proof-Of-Concept for our document management using Box. We have an enterprise account.
What I did is I added an app in my account - to get my api keys ("client_id" and "client_secret").
Then after this Using the Box Api for .net4.0, I manage to connect my MVC app with our box account using OAuth2.
I can now view files and folders as well as uploading files.
Now my problem is I need to restrict the files that can be viewed by the user logged.
I noticed that when changing the email that is use to log-in (we're using SSO)
The user info doesn't change.
I am using GetCurrentUserInformationAsync() method of the BoxApi V2.
Is it possible to perform user management using API?
(P.S. I am not the admin of our enterprise account)
Thanks
To change the email, you will be require the admin rights. First you need to create the email alias for that account and then you can replace the primary email address with your alias.
In Box developer document they ask to contact them with the API key generated.
Reference:
http://developers.box.com/docs/#users-on-behalf-of-enterprise-user
Is there is any api(Java) to get the other users mail box with the admin credential.
The primary purpose of "on-behalf-of" is to make calls on behalf of your company's users as an administrator. A great use case is if you'd like to prepopulate your new hire's account with a set of folders before they start on day 1.
In order to get the listing of enterprise users in your account, you would use the following API call if you are an administrator: http://developers.box.com/docs/#users-get-all-the-users-in-an-enterprise. This is currently not built into the Java SDK, but it is open source if you want to submit a pull request to it to add the functionality.