The permissions or scope of the OAuth 2.0 client determine the user details and resources the application can access and modify. There are two types important groups of permissions that correspond with the type of token generated after authorization. The tokens issued to your application depend on the requested response_type and client permission settings. This article discusses the permissions. For information about the authorization parameters see how to make your first request.
Open ID Connect (ID Token)
The "openid profile email" permission generates an id_token that has details or claims about a user encoded in the token itself. These details are publicly viewable but the token is signed with your client's Private Key so you can verify the authenticity by decoding the token with your client's Public Key. The types of claims available in the decoded token are:
| Claim | Description |
|---|---|
| sub | Unique User ID / BoxC Account ID |
| aud | Your Client ID is the audience for this token |
| email | Registered email address |
| email_verified | Indicates if the email address has been verified by BoxC |
| family_name | Surname of the user |
| given_name | Given name of the user |
| name | Full name of the user |
| locale | Language setting |
| zoneinfo | Timezone setting (TZ database) |
| exp | Unix timestamp of the token expiration |
| iss | Identity provider that issued the token (accounts.boxc.com) |
| iat | Unix timestamp of token creation |
API (Access Token)
The remaining permissions from the list affect which API resources your application can access and modify. Some resources like Warehouses and Entry Points are always accessible. The individual permission names on the client settings page provide some insight into what each one does. Having "write" access allows an application to create, update, and delete resources.
The access_token that is generated will not have all of the same claims encoded as the id_token. The types of claims available in the decoded token are:
| Claim | Description |
|---|---|
| sub | Unique User ID / BoxC Account ID |
| aud | The API resource server is the audience for this token (api.boxc.com) |
| iss | Resource server that issued the token (accounts.boxc.com) |
| exp | Unix timestamp of the token expiration |
| iat | Unix timestamp of token creation |
| client_id | Your Client ID |
| scope | A space delimited string of permissions |
Consent Screen
The consent screen a user sees when authorizing your application will be different depending on the permissions requested. This screen will appear when requesting permissions for both groups:
Changing your client's permissions causes users to authorize your application again - even if you're downgrading the scope. It will not invalidate existing tokens.