I'm not really familiar with Autodesk's instruments, so maybe anyone could help me with Auth:
I have 2-legged auth with forge, and i need to refresh token automatically or simply make my viewer persistent.
Also any help/links/references on points of interest or how to add floor switching feature to the project?
Typically, when setting up the viewer, you provide a function the viewer will call whenever it needs a fresh 2-legged token. This function should make a request to your server-side logic to generate the new token. The Learn Forge - View Your Models tutorial guides you through this process, using different languages and runtimes. For example, here's how you could implement the token updating in Node.js:
https://github.com/Autodesk-Forge/learn.forge.viewmodels/blob/nodejs/routes/oauth.js#L26-L36
https://github.com/Autodesk-Forge/learn.forge.viewmodels/blob/nodejs/public/js/ForgeViewer.js#L46-L52
Btw. a "refresh token" is only available in 3-legged auth workflows.
For features like floor switching, take a look at these:
https://forge.autodesk.com/blog/view-each-floor-using-vertical-explode
https://twitter.com/ipetrbroz/status/1227901732023201795
Related
to analysis who is using Forge app and how often is used, is it doable to get notified i.e. user (email) when login (BIM 360 hub) via autodesk account, and notify to (hardcoded) email, preferably email of developer (registered w/ forge app portal)? code sample or snippet will be very much appreciated, thanks.
Forge itself does not provide any notification mechanism for this, but if you're developing your own Forge application, you could easily issue the notifications whenever your application receives a callback from the 3-legged OAuth workflow. For example, if you were following this Learn Forge tutorial: https://learnforge.autodesk.io/#/tutorials/viewhubmodels using .NET, you could modify the following controller method: https://github.com/Autodesk-Forge/learn.forge.viewhubmodels/blob/net/forgesample/Controllers/OAuthController.cs#L93-L103, to notify whoever needs to be notified.
What is the correct way to hit an internal Foundry API from a Code Repository using, for example, a Python transform?
This is possible but somewhat discouraged because of the security impacts. Specifically the token that is used to call the API. Historically, Foundry jobs were run with the building user's complete token. This allows making any API call the user could make, but could be abused by a nefarious actor. Therefore most build today use a project-scoped token which can only read and write datasets, and not make API calls.
Thus you must either un-project-scope the repository so that it uses user tokens, which can be done through the Jemma API, or by supplying a hard-coded token, which can be done through a secured dataset with an appropriate marking, but be aware anyone who can read this dataset could steal the token.
A product support solution called logic flows is coming to make this process smoother.
Once you have a token making the API calls is similar to any other API. Here's an example in python, there's more information in the documentation.
URL = f"https://foundry.url/stemma/api/repos/{repo}/checks"
headers = {
"Authorization": "Bearer " + token
}
req = requests.get(URL, headers=headers)
if req.status_code > 299:
continue
req_json = req.json()
Currently the functionality for accessing Foundry APIs from within a Code Repository is not by default supported.
Because of the mentioned Foundry limitations and project scoped tokens, we create dedicated Service Accounts for automations, create a bearer token for the service account and store it in a dataset which we secure with a Marking. In the transform where we use the token to make api calls, we stop_propagating the Marking to downstream transforms.
This is, unfortunately, rather cumbersome and we are looking here at Palantir's product development team for a better solution.
I'm trying to set up an Signed URL for an Design Automation Workflow which is triggered by an Webhook inside of the BIM360 OSS. If a file is added the webhooks triggers an endpoint to start a Design Automation. The webhook is working. And the Design Automation is working too. The Problem occurs if i try to wire both up. I#m trying to create a Signed URL of the File like suggested in this post from Petr Broz link stackoverflow.
To use this API it is requierd to use an Token which is obatined by 2-Legged-Auth which is working with all necessary Scopes. In the response of the Webhook is an ID for the Folder and Version. The API is recognizing the ID.
The problem occurs in the response of this endpoint to create the signed url: https://developer.api.autodesk.com/oss/v2/buckets/:bucketKey/objects/:objectKey/signed
I'm using the wip.dm.emea as bucket because the file is stored in the EU BIM360 OSS.
The response is a 403 Forbidden:
{
"reason": "Only the bucket creator is allowed to access this api."
}
Is it even possible to get the File ID like in this example Forge how to Download File ?
Because this Solution requires a 3-Legged-Auth Flow which is not possible for a complete Automation.
The thing which makes me question is, that you can achieve this Workflow in plane Forge. But not in BIM360 where i have no control over the Buckets that are created by the System!?
I think this is an architectural missmatch between the Forge API and the BIM360 implementation!? Will there be a solution for this in the future?
Best regards
Jan
Unfortunately, I can confirm that it's not possible to create a signed URL for your BIM360 storage currently, as the error message mentioned, the endpoint requires the bucket owner to do this operation, this is what it is now. But I agree with you that this should be an architecture mismatch between Forge OSS and BIM360 implementation, and it's already been requested in our system, please keep "CPOSS-1066" to check with us about the progress.
As for the current way, you can keep the 3 legged token and using that for the output Url and also in the onComplete() callback, I have the blog post https://forge.autodesk.com/blog/upload-your-design-automation-output-file-bim360-docs which details the way to work, hope it helps at this moment.
I have an app that I'm building that utilizes the Autodesk viewer javascript library/API. If I upload a series of .iam & .ipt files for a product, and what to share it with some clients, but I don't want to give away intellectual property, such as being able to use the measure tool, or not being able to select certain sub-parts.
I know you can disable certain toolbars (which can be undone in the js console) or remove them entirely via headless mode, but considering the browser has to access to the access token, a clever person could use that token with the proper URN, and get full access to the data. Correct?
So is there a recommended way to protect our models so that viewers of it cannot take our intellectual property??
To completely remove the attach surface with the info available to the browser agent is proxying - see this blog post for details. Basically you are redirecting Viewer to access our endpoints via your own proxy service where the access token can be assigned implicitly, eliminating the need to expose access tokens to browser agents directly:
Autodesk.Viewing.setApiEndpoint('https://yourproxyurl')
W/o the access token, having access to only the Object IDs/URNs of your models would be futile as all our endpoints to retrieve model data are secured by requiring a valid access token with sufficient token scopes.
I'm the administrator of a Bim360 Docs Hub,and i'm trying to retrieve some data from the forge API. I've already created a test app, and i get a Bim 360 Account Id.
I'm not able to get an authentication bearear token (OAuth), to make simple get requests towards projects.
Where do i get the auth token ?
Thanks
See tutorial here to aquire OAuth tokens and note that you will need different permutations of OAuth scopes (esp. data:read data:write etc.) for different operations, as is specified in the docs of each and every API, see an example here.
You may use a RESTful client like Postman to talk to our APIs and manage the authentication flow and operate on response data with JavaScript as you like so as to build workflows such as to create a new project.
Last but not least before you can access BIM360 APIs make sure you provision access to your app.