Am trying to access forge api endpoint using 2- legged authentication token, but at certain point of time my token becomes invalid or expired. Is that any option to refresh/ increase token expire time in 2- legged authentication process?
For 2-legged token, once they expire, you have no choice but to request another one. That being said, I think this will be managed for you if you use one of the forge/design-automation sdk.
Related
I am calling the app script execution API from my web app. I am getting ScriptApp.getOauthToken() and storing it inside sheet. When I open my web app I will get the stored access token and calling the execution API with the help of it.
But the problem is, after some time the token is getting expired and it is saying
authorization is required
when I call execution API.
Is there any way to keep access token alive or refreshing it whenever is needed?
I. You cannot and you should not. At least not natively
There is no native Google Apps Script service method for obtaining and exchanging a refresh token (and you would need one if you want to refresh an expired OAuth 2.0 token) for a bearer token. That said, there is no practical reason in storing the short-lived token obtained via getOauthToken method - if a user authorized your application, you can request a token on the fly each time you need to make a request.
II. If you still want to, use a library
There is an officially endorsed library for Google Apps Script that manages OAuth 2.0 flow for you. When using it, you can obtain a refresh token if you set the offline access to true when issuing the token.
III. If you really want to DIY, you can always make your own flow
It is possible to perform a complete Oauth 2.0 flow (both with and without user interaction) by using only the native tools by building a custom JWT token and exchanging it with Google Identity Platform endpoints. But that means you will have to manage everything:
Build JWT custom token headers and payload, then base64 urlencode them and sign with an appropriate signature and concatenate into a token.
Exchange the custom JWT for a short-lived bearer token, validate it and extract expiration time, then persist the token.
Each time you get the token from storage, check for the expiration time, and reissue the token again using the procedure in point 1 - 2.
Handle token revocation (note that you will not be able to invalidate it from Google's servers, only in your application).
And many more caveats along the way.
Note that the token cannot be "kept alive", it goes against the idea behind the OAuth protocol - the lesser the lifespan of an individual token, the better the security of your application.
I have tried the endpoints to get projects and users with a three legged token, and in both cases I get a 403 with a response body that looks like:
{
"code": 1003,
"message": "Only support 2 legged access token."
}
This seems unequivocal, but doesn't seem to be consistent with the API documentation. Is access really only available using a 2 legged token or have I missed something?
Just to be clear, the endpoints I'm playing with are:
GET https://developer.api.autodesk.com/hq/v1/accounts/:account_id/projects
and
GET https://developer.api.autodesk.com/hq/v1/accounts/:account_id/users
The documentation states "Must be Bearer , where is obtained via OAuth", but there is no mention that only two legged authentication tokens are supported.
Yes, they are BIM360 HQ APIs (well known as Account Admin APIs), part of BIM360 API as I mentioned in the comment above.
Unfortunately, Account Admin APIs only allow access with 2 legged access token now. In contrast, other APIs like Issues, RFIs, and Checklists support 3 legged access token and 3 legged access token with the uid.
Note:
Keyword user context required in the Authentication Context of the documentation means that it requires acting with a 3-legged OAuth token or a 2-legged OAuth token with user impersonation.
Keyword app only means that it supports 2-legged OAuth token only.
I got stock on how to get token. Pls do you have any tutorial on how to get refresh token? Thanks!I currently know how to show a model in a viewer, however, the token will be expire every 2 hours. It is frustrated for me to search online for how to get token. Pls could u help me on this? Thanks!
These two articles should be of help.
About Refresh Token
Landing your Forge OAuth authentication workflow
When requesting an access_token you'll also get back a refresh token that will enable you to get a new access_token without the user having to log in again.
Depending on which programming language and environment you are using you can also use our SDK's to make your life easier.
E.g. in case of Node.js you can just npm install our forge-api package that will have the necessary functions to request an access_token
The steps are:
1) Redirect the user to the Autodesk log-in page (change both the client_id and redirect_uri to match the values that is used by your registered Forge application):
https://developer.api.autodesk.com/authentication/v1/authorize?response_type=code&client_id=xxx&redirect_uri=xxx&scope=data:read
2) Implement in your application the endpoint that you specified for your Forge application's redirect_uri
3) Using the token you got back above request an access_token
https://developer.api.autodesk.com/authentication/v1/gettoken
4) When you need a new access_token you can use the refresh_token that the gettoken endpoint also returned: https://developer.api.autodesk.com/authentication/v1/refreshtoken
I know Autodesk Forge "Object Storage Service" (OSS) requires a 2-legged security token...
I already use a 3-legged token to access Forge "Project Service" and "Data Service" APIs: is it possible to convert or request a 2-legged token from a 3-legged token?
If you try to use a 3-legged token with OSS you get a invalid token error.
I would like to avoid using two different authentication at the same time...
Thanks!
Unfortunately token exchange is not possible - I checked the oAuth 2.0 specification, and I don't think the flow you describe is a valid flow anyway. Remember 2 legged is for application credentials, whereas 3 legged is to access a specific user content.
No, a 2-legged token gives you the access to developer's resources. A 3-legged token gives you access to the logged in user's resources. They are not designed to be interchangeable.
I'm developing a google connector (for google search appliance), and I need to do the authentication to box.com but without having to do the login, and allow pages. Perhaps is a duplicate to: Box API Login issue
There is a way to achieve this. You will have to retrieve your token using the OAuth2 flow the first time. Then you will need to store the access token in your database along with it's refresh token. The Access token expires in 1 hour. The refresh token expires in 14 days. You can use the refresh token to get a new access token every time you need to make a request bypassing the user authentication flow. You will just need to make sure, your refresh token is used within 14 days. You are better off setting a cron that refreshes your tokens.
I've built this in my application so just build this out and your app will work well.
I hope this helps.
The Box API is currently only accessible after authenticating a user through OAuth 2