0

I am new to OAuth 2.0 and a little bit unclear about the best approach for user case, which is described below.

I have a web service which we use to pull data from box.com. It is multi-thread services, in that there can be multiple thread pulling from box.com at the same time. Plus, we have multiple instance of the web services, which will pull files from box.com. They do collaborate in a way so that the same file does not get pulled twice by different instance of the service. If an instance of the web service is down, the work load is migrated to the other available instances.

So here is a list of questions?

  1. Is the BoxClient provided by the box.com java api v2 thread safe?
  2. If the BoxClient is not thread safe, when instantiating a new client, do I need to request to the user/owner of the folder to approve my request for a new access code? It seems like quite a burden for the user/owner of the folder.
  3. If I keep a copy of the refresh token, Can I create a new BoxClient without going through the dance of oauth 2.0 again? Any example code?
Peter
  • 2,551
  • 1
  • 14
  • 20
user3813622
  • 1
  • Welcome to SO. I like that you asked some pretty specific questions. If you have trouble getting answers, you might try breaking each one out into it's own post (with a matching title). – Mike M Jul 07 '14 at 19:28

2 Answers2

0

The Java SDK provided on github is the same one used by Box to power some multi-threaded and multi-server processes here at Box.

As for "keeping a copy of the refresh token" a couple bits of advice.

  1. They can only be used for a short time-window. Don't plan on holding onto a refresh-token and using it for months. Even though it is good for 60 days, it's also only good until used.
  2. When you do use a refresh-token, Box has tried to make it fault-tolerant, multi-server and multi-thread compatible by allowing you to use it a bunch of times within a short window. That way if there's a network interruption, you can try again and be successful. Or if you have multiple nodes trying to do the refresh, they'll all get the same new AT/RT pair, as long as you don't start using the new AT (which basically signals to Box that you've really got the new pair, and you're ready to use it).

Hope that helps. Keep the good questions coming.

Peter
  • 2,551
  • 1
  • 14
  • 20
  • How about the mechanism to obtains the refreshtoken? I am wondering if there is a way to obtain the refreshToken automatically without human intervention? – user3813622 Jul 28 '14 at 18:44
0

After some reading about the source code of the sdk, Here is the code I come up for getting the box client with a refresh token:

public BoxClient getAuthenticatedClient(String refreshToken, String apiKey, String apiSecret)  {
    BoxResourceHub hub = new BoxResourceHub();
    BoxJSONParser parser = new BoxJSONParser(hub);
    IBoxConfig config = (new BoxConfigBuilder()).build();
    BoxClient client = new BoxClient(apiKey, apiSecret, hub, parser, config);
    Map<String, Object> map = new HashMap<String, Object>();
    map.put(BoxOAuthToken.FIELD_REFRESH_TOKEN, refreshToken);
    BoxOAuthToken bt = new BoxOAuthToken(map);
    client.authenticate(bt);
    return client;
}
user3813622
  • 1