We are occasionally seeing an issue with some projects where, when we try to do a GetPublishJob on a BIM360 model, we get back a 403 error, like this:
{"jsonapi":{"version":"1.0"},"errors":[{"id":"ad23cbc6-dc82-4dfd-83f9-6acd14bac6d2","status":"403","code":"C4R","detail":"Failed to get publish model job"}]}
In the docs, it says it could be whitelisting or permissions. We know our app is whitelisted, because we would not have made it this far if it wasn't. We're using 3-legged OAuth, and we believe that the user is able to manually perform the Publish. Can you tell us what specific other permissions might need to be investigated?
I am not typing answer, while I want to check some information with you:
if what you are using is this endpoint, it is public, so it does not need whitelisted. https://forge.autodesk.com/en/docs/data/v2/reference/http/GetPublishModelJob/ .
Since you are using 3 legged token, I doubt it may due to the expired token, while normally it should be 401 error.
With the same token, can your code perform Publish Model?
https://forge.autodesk.com/en/docs/data/v2/reference/http/PublishModel/
was this workflow working well in the past? or just failed recently?
To use this endpoint, the logged user (for 3 legged token) should have access with the folder.
Related
Hey
I work for a marketing agency and I've developped a small script in Google AppScripts that pulls data from my customers' Analytics accounts and formats it into a Google Slides presentation.
How it works:
Our customers give us access to their Analytics views, and using Analytics API I get the id of each view shared with us on our main account and use these ids to make requests to the API.
The script works perfectly fine for almost every view, but recently I've had issues with some Analytics accounts.
Basically I get a 401 response code, despite having manager access to the given property.
The method I use to make requests to the API is Analytics.Data.Ga.get, and here is what the result looks like :
[18-10-23 06:57:02:128 PDT] {totalsForAllResults={ga:users=0}, totalResults=0,
columnHeaders=[{columnType=DIMENSION, dataType=STRING, name=ga:userGender},
{columnType=METRIC, dataType=INTEGER, name=ga:users}],
profileInfo={profileName=Toutes les données du site Web, accountId=xxxxxx,
profileId=xxxxxx, tableId=ga:xxxxxx,
webPropertyId=UA-xxxxxx-x, internalWebPropertyId=xxxxxx}, itemsPerPage=1000,
kind=analytics#gaData, query={end-date=2018-09-30, max-results=1000,
start-index=1, ids=ga:174758787, start-date=2018-07-01, metrics=[ga:users],
dimensions=ga:userGender}, containsSampledData=false,
id=https://www.googleapis.com/analytics/v3/data/ga?ids=ga:xxxxxx&dimensions=ga:userGender&metrics=ga:users&start-date=2018-07-01&end-date=2018-09-30, selfLink=https://www.googleapis.com/analytics/v3/data/ga?ids=ga:xxxxxx&dimensions=ga:userGender&metrics=ga:users&start-date=2018-07-01&end-date=2018-09-30}
When I go to that link "id" link, here's what I get :
{"error":
{
"errors":[
{
"domain":"global",
"reason":"required",
"message":"Login Required",
"locationType":"header",
"location":"Authorization"
}
],
"code":401,
"message":"Login Required"
}
}
I gathered this has to do with the OAuth2 protocol, which I never had to worry about since it's usually automatically handled by AppScripts.
I've looked around pretty much everywhere trying to fix the problem myself, but I can't seem to wrap my head around the OAuth 2 protocol, and the way it works in this very case.
I've already created credentials for my script, so I have access to my client id and client secret for this project.
My assumption is that the tokens for the problematic accounts have expired, and I need to refresh them somehow and give them the right scope. I just have no idea how to do that.
I would be very thankful if anyone could enlighten me on this one :)
Have a nice day!!
Fixed the problem, turns out it has nothing to do with the OAuth2 protocol. The demographics reports were simply turned off in Analytics for these accounts, which is why I wasn't getting any response from my query.
If anyone is wondering, the error 401 in the REST request is because no token or key is passed at the end (using "?key=..." or "access_token=..."), so it's like some anonymous person tried to access the data.
If you wonder how to get the acess token, you can get it token using Query Explorer. After running a query, select "Include current access_token in the Query URI (will expire in ~60 minutes)."
Anyway, this can be closed.
Anybody can help or enlighten me with my issue:
I'm a Java developer and I have an existing smart printer app called GDrive App. It uses Google Drive API (oauth 2.0, gdata-version 2.0 and 3.0 for download-print file) .
This has been working for months until now. Actually, only the download-printing part is no longer working this time, I can still access the app (retrieve files, create folder, search and delete files).
Actual problem:
I keep on getting 401 error when I try to download file (to input stream) for printing. It's confusing because I already provided all the necessary information during the request. And it has been working for many months. No changes of the code. Weird.
I have this for headers:
[Authorization: Bearer ya29.CjAkA8uPBUsKWYMSEDpPxUbP_vtQJOKfCZ7O8I4GkpUkN70bGgnDTAVYiVW2m353H2Y
, GData-Version: 3.0
]
While executing this URL to download and print resource, I couldn't access this.
https://doc-0o-7o-docs.googleusercontent.com/docs/securesc/l9c2gms12ko7qqfc58putbb2v38kkvmm/dp5l9kmpu48kdi8mp2rvtmc1dm1f41tk/1468828800000/09859633411849852329/09859633411849852329/0ByU-nFK_03gtZGhBZkxCYmExeGc?e=download&gd=true
Error 401 means that you aren't authorized properly. Most likely the ya29.CjAkA8uPBUsKWYMSEDpPxUbP_vtQJOKfCZ7O8I4GkpUkN70bGgnDTAVYiVW2m353H2Y access token you are using expired and you have to request another.
You should write your code to anticipate the possibility that a granted token might no longer work. A token might stop working for one of these reasons:
The user has revoked access.
The token has not been used for six months.
The user changed passwords and the token contains Gmail, Calendar,
Contacts, or Hangouts scopes.
The user account has exceeded a certain number of token requests.
source
You can use GoogleAuthorizationCodeTokenRequest to request an access token and possibly a refresh token.
I am building a basic app using node.js and mysql and just getting a hang of it, I would like to secure the api,like only allow certain people to access the data, maybe by passing a certain token each time a user requests for some information, I tried searching for certain tutorials which used node.js and mysql database and security, I am confused as to which security measure to use, I even read about Json Web Tokens but din't find a proper tutorial for that.Please point me in the right direction.
EDIT
What I meant to say was, only authenticated users are allowed to get access to data in the api, when a random visitor tries to access a URL he shouldnt be alowed to without proper authentication,what I am mostly looking for now is when a user is authenticated the user should be a sent a token of some sort so then gets access to private data,I don't exactly know how to go about this whole thing.Would be glad if you could clear it up for me.
I would look at implementing Oauth2 server in your app. I found this article useful:
http://blog.papersapp.com/oauth-server-in-node-js/
No sure what your exact question is about, but I think the below will help:
Node.js security tips: http://blog.risingstack.com/node-js-security-tips/
Secure Express apps with various HTTP headers: https://github.com/helmetjs/helmet
Go on an educational Web security adventure: https://github.com/toolness/security-adventure
Node.js Security presentation: http://www.slideshare.net/d0cent/nodejs-security?qid=c450507b-e491-4e9a-9b05-89d0c82ea10b&v=default&b=&from_search=6
Take a look at http://passportjs.org/ . Passport has support for alot of authentication methods, however, for your API, you will probably want to use OAuth (http://passportjs.org/docs/oauth2-api). OAuth is what most popular APIs use to authenticate consumers.
For simple projects, You can also use basic authentication, which is what you see when you see the browser prompt asking for username and password. This authentication information can be sent in the header when API consumers makes requests.
I'm seeing a 403 "Access to the webpage was denied" error on one specific file being accessed via the Drive SDK. It was working earlier, the app permissions are set correctly, and we're having success with other files using different tokens against the same app.
We're getting the downloadUrl from the SDK successfully, then seeing the error message only after users are redirected to the downloadUrl. Because of that it's hard to track, but we've confirmed that it's working for some, but not for others — it hasn't fully stopped.
The full error text is:
Access to the webpage was denied
You are not authorized to access the webpage at [...] You may need to sign in.
HTTP Error 403 (Forbidden): The server refused to fulfill the request.
We're including the GET download and (valid) access_token parameters, all that.
My question is this: could this be related to the reported Google Drive outage that's currently happening, or is there some sort of throttle/limit to access of a single file over the drive API? I've never seen this behavior before, and this response isn't listed among the standard 403 responses.
I have just seen something similar. I was using a freshly acquired access token, so I don't think it's oauth related. My working theory is that the downloadUrl link was stale. When I got fresh meta data, which had a different value in downloadUrl, it worked using the same access token that had previously failed.
This is only a theory since it isn't documented anywhere, and I would actually expect 410 (or even 301) as a much more appropriate status than 403.
I've wrote a tiny script that retrieves publicly available data from some APIs, in JSON format. I'm now trying to get some protected data out from bit.ly (click stats from a given user) and so I obviously need to authenticate via OAuth.
I don't seem to understand the role of client id and secret, as well as the user API key. I also don't get how to grab an access token (maybe generated during OAuth authentication?) to authenticate my HTTP requests of protected data. Do you guys know any good (e)book, article or any other resources I should read to understand in detail these architectural nuances of authenticated data retrievals and HTTP requests?
It is exactly as you suspect. The access token is granted during the OAuth process, which is basically a three step rocket of getting
Temporary credentials for your application
An end user needs to authenticate those temporary credentials, which grants you a verifier token
And finally you exchange your temporary credentials and the user verification for an access token.
Depending on which language/framework you are using, there are often good libaries available to help you implement an OAuth client. Check out: http://oauth.net/code/
But you will be well served by a clear understanding of how the whole thing works. Twitter has a great tutorial about OAuth 1: https://dev.twitter.com/docs/auth/oauth.
Regarding OAuth 2. Check out http://hueniverse.com/2010/05/introducing-oauth-2-0/. Hueniverse is a good resource for all things OAuth by the way.