Box Enterprise with Managed Users

What is the problem you are having with rclone?

I would like to use Box Enterprise with box_sub_type = user.

I would like to have users auth as themselves and access their own Box files. We are a Box Enterprise and we have Okta for SSO. I'm not sure how to authenticate in this situation.

In the Box admin console, here are the config options:

  • Application Access: Enterprise
  • Application Scopes: Read and write all files, Manage users
  • Advanced Features: Perform Actions as Users: off, Generate User Access Tokens: on
  • 1 key pair generated

According to Box documentation, I have things set up correctly. I altered the Enterprise ID to my Box Managed User id (not my company's Enterprise ID) per Box docs.

I feel like I'm just doing it wrong. Thanks for any help!

What is your rclone version (output from rclone version)


Which OS you are using and how many bits (eg Windows 7, 64 bit)

macOS 10.15.7

Which cloud storage system are you using? (eg Google Drive)


The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone -vv config reconnect box:

The rclone config contents with secrets removed.

type = box
box_config_file = ~/.config/rclone/box-rclone.json
box_sub_type = user

A log from the command with the -vv flag

2020/12/15 17:05:32 DEBUG : rclone: Version "v1.53.2-DEV" starting with parameters ["rclone" "-vv" "config" "reconnect" "box:"]
2020/12/15 17:05:32 DEBUG : Using config file from "/Users/cwalker/.config/rclone/rclone.conf"
2020/12/15 17:05:38 DEBUG : jwtutil: Response Body: {"error":"invalid_request","error_description":"Cannot obtain token based on the enterprise configuration for your app"}
2020/12/15 17:05:38 Failed to configure token with jwt authentication: jwtutil: failed making auth request: 400 Bad Request

Leads to,the%20changes%20to%20take%20effect.

Which says

To troubleshoot this issue, please follow the steps below:

  • Ensure that your application is configured to generate user access tokens in the Developer Console.
  • Reauthorize the application in the Admin Console to ensure any scope changes take affect.

Though looking through the box developer console for rclone I am none the wiser - maybe it is an option I don't have access too, not having an enterprise account.

However you say above that you've set Generate User Access Tokens: on which seems to satisfy the docs.

That doesn't look like you've put your "app" secrets into the config.

You need to set client_id and client_secret in here which you can get from the developer console

I hope that is the right approach!

Both client_id and client_secret are in the box_config_file. I will try setting them explicitly, but I don't have high hopes. Thanks for taking a look!

1 Like

I figured this out. I was trying to use JWTs, but OAuth is the right answer here. Sorry!

No problems!

Is this something other Box Enterprise users will struggle with?

Maybe you could write a paragraph or two on how you set it up and I can put it in the docs?

I'm not sure. I feel like if I'd just done it the normal, documented way from the beginning (instead of overthinking it), it would have all been fine. :slight_smile:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.