I'm using box API v2 and successfully with OAuth2. I'm successfully getting the access token back, but in order to avoid the "confused deputy problem" I need to have a way of getting the user id that a given access token relates to.
Is there a way of doing this? I'm trying to use the /tokens endpoint without luck. I read that you need to enable that but I can't find how. Even if I managed to enable it, would that help?
Thanks!
the /users/me endpoint will tell you the user id (and other info) associated with the access token that was used to authenticate the request. Documentation here.
Related
Currently I am developing a Chrome-GMAIL extension which requires me to get the logged in user's first and last names. For experimentation, I have used the following goggle API (userinfo) and have successfully obtained the names I wanted:
https://www.googleapis.com/auth/userinfo.profile
However, using the userinfo APIs will cause a change in the OAuth2 scopes in my manifest. This change will in turn cause a permission-prompt to my existing users (if a domain wide delegation is not setup in place). Point being the idea of having more prompts in front of my user, or additional oauth scope is not really something I desire.
Currently our extensions use the following OAuth scopes and API :
Chrome's Identity API
Chrome's Storage API
GMAIL.modify
GMAIL.send
My question is, is it possible to get the first and last names using an API that is defined/allowed/provided for by any of the above scopes/permissions I listed? or is userinfo the only way to go?
Thank you very much.
Profile data like first name and last name is private data. You are corect that some Google apis give you access to some data that would normally require an extra scope. For email normally you would need to to request the email scope to get this back however the Gmail api does have an endpoint getprofile which will return the current users email address without you requesting the email scope.
However i am not aware of any apis that will give you access to the users first and last name without you requesting the profile or user.profile scope.
If you do decide to add the scope, I do recommend going though the people api rather then the userinfo endpoint as the data returned by the user info endpoint is not guaranteed to always return the name.
I created a users resource for my RESTAPI and now i am able to register a user.
After that i installed passport and i am getting the token.
When i tried to accesss
'/user'
I got as unauthorized.
When i pasted the token in Authorization Header, i was prompted with api_token column is missing, on which i updated my migration for api_token column with string 60.
Again when i tried to access '/user' i am still getting as unauthorized.
Followingly, let me say i got posts generated as resource. I want my moderator or admin only to have delete access not to the user. How can i achieve it? In short, how to control the authorization for resource routes.
Are you using the api middleware and auth:api? Submitting a X-CSRF-TOKEN as well? GET or POST? Need more info to help you out here.
I was trying to make Box Enterprise API work using As-User. I have a admin account which i used to try to retrieve the Contents in a sub account.
I first used the admin account to retrieve the User ID of the sub account. And added the User ID as a field "As-User: ########". However, I was returned with a reply of 403.
The error message : "The request requires higher privileges than provided by the access token."
I am using the access token i had used to retrieve the user list. Do I have to get a new access token using the as the new user? or is the admin access token fine?
GET /2.0/folders/0/items HTTP/1.1\r
Host: api.box.com\r
Authorization: Bearer #######################\r
As-User: ########\r
Connection: close\r
\r
The access code is the same access code used to retrieve the user list /user
All the scopes has been checked
Your application must be manually approved by Box for As-User requests. The documentation mentions this but it's easy to miss. To start the approval process send Box a note and include your API Key.
I am unable to add a comment on this, so I would like to add (in case the support staff doesn't give you a head's up) you may have to do this after they enable the As-User header --
Go back to your - Admin Console->Business Settings->Apps
Find the Custom Applications section
Authorize or reauthorize the app you are working with
I had the same problem and found this:
https://support.box.com/hc/ja/community/posts/360049157874-Insufficent-scope-when-trying-to-make-a-call-using-As-User-header
So you should use the scope admin_on_behalf_of.
I'm trying to use the Graph API to get the feed of multiple public groups then that of multiple users.
When it comes to the feed of groups, it works flawlessly, all I have to do is fetch the following :
graph.facebook.com/$group_id/feed?limit={feedLimit}&access_token={access_token}
My access token being comprised of: AppID|AppSecret
However when it comes to fetching the feed of a user (Whose confidentiality settings are set to public of course) all I get is an empty answer. I would've thought it impossible to get such info and stopped there but then I stumbled upon ApiGee. All I have to do then is authenticate as a user (facebook-Authenticated-user) and it works.
Here's an image of it: http://s9.postimg.org/ynq5tar9r/feed.jpg
My question is : "How is that possible? I've read all I could in the docs and I still can't understand how it works. And how can I remedy that?"
Thank you.
The token you are using is an App token (AppId|AppSecret). With the app token you can't really get users personal feeds. With ApiGee you authenticated to get a user token, which can be used to fetch posts on the authenticated user's feed.
Read more about Facebook's access tokens
I know the steps to authenticate user and getting the user info after performing this call:
GET https://www.box.com/api/1.0/rest?action=get_auth_token&api_key={your api key}&ticket={your ticket}
But what I'm really looking for is to get user info after performing certain operation such as upload new file, in particular the user quota:
<space_amount>1234567</space_amount>
<space_used>1234</space_used>
Is there any way to get the latest user quota without calling the 'get_auth_token' again? As I understand it, 'get_auth_token' will generate new auth_token which I'd like to avoid.
There isn't yet a fully equivalent method in the v2 API. but you can utilize the get_account_info method from the v1 API to retrieve this information.