Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

platform app issues: users and as-user #376

Open
4 tasks done
kennyparsons opened this issue Nov 14, 2024 · 3 comments
Open
4 tasks done

platform app issues: users and as-user #376

kennyparsons opened this issue Nov 14, 2024 · 3 comments
Assignees
Labels
question Further information is requested

Comments

@kennyparsons
Copy link

kennyparsons commented Nov 14, 2024

  • I have checked that the [SDK documentation][sdk-docs] doesn't solve my issue.
  • I have checked that the [API documentation][api-docs] doesn't solve my issue.
  • I have searched the [Box Developer Forums][dev-forums] and my issue isn't already reported (or if it has been reported, I have attached a link to it, for reference).
  • I have searched [Issues in this repo][github-repo] and my issue isn't already reported.

Description of the Issue

I am working with a platform application authorized with the app access level set to App Access Only. The application has the following scopes: read, write, and manage users, and I have enabled the advanced feature to make API calls using the as-user header.

I am authenticating using the client credentials grant flow, and the application is successfully authorized and approved. My ultimate goal is to use Python to manage collaborations and download files from our Box tenant. However, I am encountering issues with the following:

  1. When I attempt to list users using client.users.get_users(), it consistently returns no users, even though my app has manage users scope and the advanced as-user header feature is enabled.
  2. I am unclear on the correct way to use the as-user header or impersonate users (e.g., an admin or managed user) to programmatically manage collaborators and perform actions on behalf of other users.

I know I am successfully authenticated because I can retrieve the current user, which shows the name of the platform application. However, I am stuck on retrieving all user IDs and impersonating users programmatically using the SDK.

Steps to Reproduce

  1. Create a platform application with App Access Only access level and scopes: read, write, and manage users.
  2. Enable the advanced feature to make API calls using the as-user header.
  3. Authenticate using the client credentials grant flow and the Box Python SDK Gen.
  4. Attempt to list users using client.users.get_users() and observe that the result has no users.
  5. Attempt to use the as-user header to impersonate a user but fail to understand the correct method or see desired results (I am unclear on how to do this step).

Expected Behavior

  • Listing users with client.users.get_users() should return a list of all users visible to the service account.
  • Using the as-user header to impersonate a user should allow performing actions on their behalf (TBD)

Error Message, Including Stack Trace

No specific error is raised, but the client.users.get_users() method returns an empty list of users.

Screenshots

N/A

Versions Used

Python SDK: box_sdk_gen==1.7.0
Python Version: 3.12.4

@congminh1254
Copy link
Member

Hi @kennyparsons

I believe that if you want to use "Make API calls using the as-user header" or "Generate user access tokens", you will need to have "App + Enterprise Access" for the App Access Level.

You can try the function client.users.get_user_me() to see if the as-user is working correctly for your request. As I tested, if App Access Level is "App Access Only" but use as-user header, I got error 403 with message Authorization Failed

Bests,
Minh

@kennyparsons
Copy link
Author

can you share your snippet to use the as-user header in python? I have yet to figure it out.

@congminh1254
Copy link
Member

Here is my code snippet:

ccg_config = CCGConfig("APP ID", "APP Secret", enterprise_id="EID")
auth = BoxCCGAuth(config=ccg_config)
client = BoxClient(auth=auth)
service_account = client.users.get_user_me()
print(f"Service Account user ID is {service_account.id}")

# Use as-user header
client = client.with_as_user_header("USER ID")
user_account = client.users.get_user_me()
print(f"User Account user ID is {user_account.id}")

This code is not working with App Access Only but App + Enterprise Access.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

7 participants