Upcoming change to JWT format

On August 4th, 2021, as part of our continued infrastructure upgrades, we will begin deployment of a change that may affect custom applications leveraging Server Authentication with JSON Web Tokens (JWT).

Potential impact will require additional verification from customers who do not use an official Box SDK and are storing tokens in a database.

All customers and application owners who are potentially impacted have been notified directly via email.

Change overview

This change may only impact applications leveraging Server Authentication with JSON Web Tokens (JWT). Tokens will continue to return as a string as stated in our documentation. However, the format will be longer and contain

special characters.

An example of a token returned today: NXWd9KDPVofXQKZJlQjICCWFHEmuOihs.

After this change, tokens will return in the following format:

1!yxxhRreQCKcEbC_ZfYvPudyLe7Ed36gIQcqqZo2pfaVZyxNBkQjoHk0fgA1iTY3_uwXgif-hg-gne aUdLRmGCb2He6tyQ_rA8aV-CllTyBbd9Tx-wU6Fnt4Df9XjzBAk8Dj7RYc1Ew_fcY2vfycpCvjwHLgql jzjEpVIrOpOlK_2AyP5FExzn0x7DtbkaGc6avJU8UMQd_huXoJ7CnXIL_JBzVrW4D32pBLQ2AZIuecOZ NMIy9T8PdUiZIG6xKEPqYmm21mQHEM0d7dT5foSBtjm65-Ah2tb2MdSGFb1G1O24vz2GmYFgmIe5UOol qYIGg-0u2xQPC3F76WiNCiU_TP1JDQYi3HKaos807WkRtnBY5Vd-VAbY9DH-Qo3u1EiB0RFr4cht2N7V B99y-379IEYzCojL2V58dE_pBxpRMv4KcOLVsUfDkbx3uo34H4UzOycI_IWGWrhVJD4M7GeLeD_5Vkmj fbwYl2CmHdXAKbZKtXTHjzB0CZixZriT_wRUpsN8GTrrxGbx9ukgzJWRJwelGZ_1Yx7vP4Zkx3OfR5Be -Tso7xdHd9rW0FXsu024U7dMNuQ6kpP1_kJI2Y.

Please note that this is not a new format to Box, as this format is currently returned when downscoping tokens.

Verifying application impact

1. Navigate to Admin Console > Apps Tab > Custom Apps.
2. Click View for each app row listed
3. Scroll to the bottom of the app details page and verify the selected authentication method. Affected apps will say Server Authentication with JSON Web Tokens.

For each application identified above, you will need to determine:

1. Is it using an official Box SDK? If so, no further action is required to prepare for this change. While it is always best practice to be on the latest version, no minimum versions are required for compatibility.

2. If an official SDK is not used, are tokens stored in a database? If so, you will need to preform additional verification that the database can handle both the new length and special characters.

Testing before release

If you have identified an application that leverages Server Authentication with JWT and stores tokens in a database, you will want to preform the test below before August 4th.

As mentioned above, the new format for tokens is currently used when downscoping tokens. Therefore, preform the following steps to assess impact:

1. Generate an Access Token for the application
2. Downscope the token from step 1
3. Attempt to store the downscoped token in your database

If you are successfully able to store the token in the database no further action is necessary to prepare for this change.

If you are unable to store the token, your database must be updated to support the additional length and special characters.

Where to get support

Should you have any questions or need further guidance, please email jwt-set-rollout@box.com.

Box Node SDK v1.37.2 released

Bug Fixes:

• Fix backwards compatibility issue by moving some TypeScript @types as direct dependencies (#630)

Box Node SDK v1.37.1 released

Bug Fixes:

• Insensitive language: replace whitelist with allowlist (#625)

Box UI Elements v13.0.0 released

13.0.0 (2021-04-22)

Bug Fixes & Features

This release fixes several bugs. For a full list, please see the release notes

Box iOS SDK v4.4.0 released

Breaking Changes:

New Features and Enhancements:

• Add support for search parameter to get shared link items (#756)
• Add support for folder lock functionality (#759)
• Add support for copyInstanceOnItemCopy field for metadata templates (#763)
• Add support for stream upload of new file versions and add support for 'If-Match' header when uploading new file versions (#766)
• Add additional details field for Event model (#770)

Bug Fixes:

• Pass only a scheme to iOS Authentication APIs (#755)
• Update listEnterpriseGroups() to use documented parameter for filtering by name (#757)
• Fix bug for OAuth where the callback is not called if token has been revoked (#762)

Box Node SDK v1.37.0 released

New Features and Enhancements:

• Add support for copyInstanceOnItemCopy field for metadata templates (#572)

Bug Fixes:

• Fix webhook signature validation (#568)
• Update dependencies to patch security vulnerabilities (#578)

Box Python SDK v2.12.0 released

New Features and Enhancements:

• Add metadata query functionality (#574)
• Add folder lock functionality (#581)
• Add search query support for the include_recent_shared_links field (#582)
• Update get_groups() to use documented parameter to filter by name (#586)

Notice of behavior change for item download events

Starting today, we will begin rolling out changes to the behavior of item download events when an application consumes those events from our event API endpoints.

This change will only affect the ITEM_DOWNLOAD user event and will not affect existing enterprise events. The new behavior will not cause downtime within existing applications or require any application changes to prevent uptime disruptions.

Change overview

Within the previous behavior when events were consumed, downloaded item events were surfaced through the ITEM_DOWNLOAD event type for the owner of the content as well as any contributors assigned to the content. This meant that if a file with 2000 collaborators on it was downloaded, the file owner plus all 2000 collaborators would have an event created stating that the file was downloaded.

With the new behavior, notification of an item being downloaded will only be created for the owner of the content and will not be produced for collaborators. This will help to reduce the noise of the event stream while preserving the ability to see when items are downloaded as a content owner.

Where to get support

Should you have any issues or need further guidance, please post a request to our developer forum for any help needed.

New option for downscoping tokens using shared links

When requesting an access token, you now have the ability to downscope that token to a file or folder using a shared link.

This new parameter may be used instead of using the resource parameter, which allows you to supply a file or folder ID to perform the same action.

Updates

• Added new box_shared_link request parameter to downscoping documentation. A shared link may be supplied to downscope an access token in the below way.

{
  curl -i -X POST "https://api.box.com/oauth2/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "subject_token=[ACCESS_TOKEN]" \
     -d "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
     -d "scope=item_upload item_preview base_explorer" \
     -d "box_shared_link=https://cloud.box.com/s/123456" \
     -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange"
}

• Added box_shared_link request parameter to request access token API reference.

Box Java SDK v2.54.0 released

New Features and Enhancements:

• Add file request support (#869)

Bug Fixes:

• Fix BoxWeblink deserialization (#881)