My Apps

    Downscope a Token

    Downscope a Token

    Downscoping is a way to exchange an existing Access Token for a new one that is more restricted.

    Reasons to downscope

    An application might need to share the Access Token with an environment that it does not fully control. A common example of this would be when using Box UI Elements in a web browser.

    When an application needs to pass an Access Token to the browser there is a potential security risk that needs to be resolved. In order to limit this risk the Access Token can be exchanged for a new token with much stricter permissions.

    High-level overview

    A downscoped token is a token that has fewer permissions (scopes) than the original token, as well as the optional additional restriction to only allow access to a specific file.

    Downscoping overview

    The new token takes the permissions of the original token and restricts them to the tokens passed in, as well as the resource provided.

    Downscoping in practice

    To downscope a token, pass the POST /oauth2/token endpoint an existing Access Token, a list of scopes, as well as an optional file URL to restrict the token to.

    cURL
    curl -X POST https://api.box.com/oauth2/token \
         -H "Content-Type: application/x-www-form-urlencoded" \
         -d 'subject_token=[ACCESS_TOKEN]' \
         -d 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \
         -d 'scope=item_upload item_preview base_explorer' \
         -d 'resource=https://api.box.com/2.0/folders/123456' \
         -d 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange'
    .NET
    var exchanger = new TokenExchange(client.Auth.Session.AccessToken, "item_preview");
    exchanger.SetResource("https://api.box.com/2.0/files/123456789");
    string downscopedToken = exchanger.Exchange();
    Java
    BoxAPIConnection api = new BoxAPIConnection("YOUR-ACCESS-TOKEN");
    
    String resource = "https://api.box.com/2.0/files/RESOURCE-ID";
    List<String> scopes = new ArrayList<String>();
    scopes.add("item_preview");
    scopes.add("item_content_upload");
    
    ScopedToken token = api.getLowerScopedToken(scopes, resource);
    Python
    target_file = client.file(file_id='FILE_ID_HERE')
    token_info = client.downscope_token(['item_preview'], target_file)
    print('Got downscoped access token: {0}'.format(token_info.access_token))
    Node
    client.exchangeToken('item_preview', 'https://api.box.com/2.0/files/123456789')
    	.then(tokenInfo => {
    		// tokenInfo.accessToken contains the new downscoped access token
    	});
    ParameterDescription
    subject_tokenThe original token to downscope. This can be a token that was acquired through OAuth 2.0, JWT token exchange, or as an App Token.
    scopeA space-delimited list of scopes to limit the new token to. Any valid scope for the application can be used, though a special set of scopes for Box UI elements is available
    resourceAn optional full URL path to the file the token should be restricted to.
    subject_token_typeAlways set to urn:ietf:params:oauth:token-type:access_token
    grant_typeAlways set to urn:ietf:params:oauth:grant-type:token-exchange

    Downscoped Access Token Object

    A downscoped Access Token returned by the *** endpoint contains extra information on the specific restrictions.

    {
      "access_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ",
      "expires_in": 3600,
      "token_type": "bearer",
      "restricted_to": [
        {
          "scope": "item_download",
          "object": {
            "id": 12345,
            "etag": 1,
            "type": "file",
            "sequence_id": 3,
            "name": "Contract.pdf"
          }
        }
      ],
      "refresh_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ",
      "issued_token_type": "urn:ietf:params:oauth:token-type:access_token"
    }

    Most importantly here is the list of restricted_to entries that will contain each combination of object and scope that the new token has the permissions for.