This question pertains to the Autodesk Forge TokenFlex Usage API. We would like to run an application that pulls data on a scheduled basis. Our understanding is that the Forge TokenFlex API requires 3 Legged authentication. We have successfully adapted the Autodesk GitHub code sample "A Forge Python Script Demonstrating new TokenFlex Usage API" to pull our data but this requires 3-Legged Authentication.
Is there a way to pull data using the TokenFlex Usage API without requiring user intervention for Authentication?
Unfortunately TokenFlex requires 3 legged auth for enhanced security purposes.
However you can minimize user intervention but rotating the token periodically in your backend using the refresh_token that comes with the token to get refreshed tokens implicitly and store them securely (encryption recommended for security reasons) where your script can use them, see here for details
Related
I'm looking for a away to protect my APIs in APIM, I really don't understand the difference between Subscription Key and OAuth 2.0 using Access Token. Can we use OAuth2.0 instead of Subscription Key or use both ?
As per my understanding,
In Simple:
Subscription keys are the common way to access the Azure APIs in APIM instance.
If the API requires subscription key to access it by the user, then we call it as secured API. Otherwise, it is unsecured API and mostly used by the public.
But for unsecured access to that certain APIs, configuring another mechanism to secure client access is recommended.
Those other mechanisms to secure access to APIs in APIM were OAuth 2.0, Client Certificates, and Restring caller IPs.
As DeepDave recommended this SO Thread states that,
It is not possible to use OAuth token to identify client, but you can use it for rate-limiting and logging (of sorts).
You can identify the users and their level of access (To how many products/APIs, they have access) easily by using subscription keys because they are associated on 3 scopes like Product level, All APIs level, or an individual level.
OAuth 2.0 provides extra layer of security both in Authentication and Authorization.
To Implement the other mechanisms like OAuth2.0 or other, these references are useful:
Protect APIM using OAuth2.0
API Protecting Mechanisms in Azure
A Workaround of Protecting APIs in Azure API Management using OAuth 2.0 Client Credential Flow & test using Postman
Extra layer of security to avoid unauthorized access to APIs using OAuth 2.0
to analysis who is using Forge app and how often is used, is it doable to get notified i.e. user (email) when login (BIM 360 hub) via autodesk account, and notify to (hardcoded) email, preferably email of developer (registered w/ forge app portal)? code sample or snippet will be very much appreciated, thanks.
Forge itself does not provide any notification mechanism for this, but if you're developing your own Forge application, you could easily issue the notifications whenever your application receives a callback from the 3-legged OAuth workflow. For example, if you were following this Learn Forge tutorial: https://learnforge.autodesk.io/#/tutorials/viewhubmodels using .NET, you could modify the following controller method: https://github.com/Autodesk-Forge/learn.forge.viewhubmodels/blob/net/forgesample/Controllers/OAuthController.cs#L93-L103, to notify whoever needs to be notified.
The Forge documentation mentions “If you need an end user to authorize your app to act on the user’s behalf, you’ll want to check out this tutorial.” This makes it sound as if our app will be doing something from OurApp → Forge, reaching into Fusion data, pulling it out. Our desired action would be the user acting on their own behalf, with authorized permission, sending files to their account on OurApp.
I've genericized it, but our specific situation is as follows: we want Fusion360 users to be able to install our plugin and then send models in STL format (model derivative v2 API) to our service for 3D Printing or sharing with others. This same behavior exists for Tinkercad and is very popular, but the requirements change for Fusion, now that it is not a web app like Tinkercad.
Autodesk Forge uses OAuth 2.0 as its authentication strategy, and as part of that, the platform allows you to choose between two-legged and three-legged authentication.
Two-legged authentication means that a trust is established between your own application (with credentials that are generated for you when you create a Forge app on https://forge.autodesk.com) and the Forge services. Your application can manage its own data but it does not have access to your users data in other Forge applications.
Three-legged authentication means that a trust is established among 3 entities: your application, Forge, and your user. With an access token generated using 3-legged authentication, your application can also access the user's content in other Forge applications, for example, in BIM360 or Fusion Teams.
With that, if you plan on having your users upload STL files from a locally running instance of Fusion 360, you can use the simple 2-legged authentication and have your Forge application own and manage the uploaded data and the translated derivatives. But if you wanted to upload or download STLs to/from something like Fusion Teams, you would need the 3-legged auth workflow.
I'm trying to set up an Signed URL for an Design Automation Workflow which is triggered by an Webhook inside of the BIM360 OSS. If a file is added the webhooks triggers an endpoint to start a Design Automation. The webhook is working. And the Design Automation is working too. The Problem occurs if i try to wire both up. I#m trying to create a Signed URL of the File like suggested in this post from Petr Broz link stackoverflow.
To use this API it is requierd to use an Token which is obatined by 2-Legged-Auth which is working with all necessary Scopes. In the response of the Webhook is an ID for the Folder and Version. The API is recognizing the ID.
The problem occurs in the response of this endpoint to create the signed url: https://developer.api.autodesk.com/oss/v2/buckets/:bucketKey/objects/:objectKey/signed
I'm using the wip.dm.emea as bucket because the file is stored in the EU BIM360 OSS.
The response is a 403 Forbidden:
{
"reason": "Only the bucket creator is allowed to access this api."
}
Is it even possible to get the File ID like in this example Forge how to Download File ?
Because this Solution requires a 3-Legged-Auth Flow which is not possible for a complete Automation.
The thing which makes me question is, that you can achieve this Workflow in plane Forge. But not in BIM360 where i have no control over the Buckets that are created by the System!?
I think this is an architectural missmatch between the Forge API and the BIM360 implementation!? Will there be a solution for this in the future?
Best regards
Jan
Unfortunately, I can confirm that it's not possible to create a signed URL for your BIM360 storage currently, as the error message mentioned, the endpoint requires the bucket owner to do this operation, this is what it is now. But I agree with you that this should be an architecture mismatch between Forge OSS and BIM360 implementation, and it's already been requested in our system, please keep "CPOSS-1066" to check with us about the progress.
As for the current way, you can keep the 3 legged token and using that for the output Url and also in the onComplete() callback, I have the blog post https://forge.autodesk.com/blog/upload-your-design-automation-output-file-bim360-docs which details the way to work, hope it helps at this moment.
I'm the administrator of a Bim360 Docs Hub,and i'm trying to retrieve some data from the forge API. I've already created a test app, and i get a Bim 360 Account Id.
I'm not able to get an authentication bearear token (OAuth), to make simple get requests towards projects.
Where do i get the auth token ?
Thanks
See tutorial here to aquire OAuth tokens and note that you will need different permutations of OAuth scopes (esp. data:read data:write etc.) for different operations, as is specified in the docs of each and every API, see an example here.
You may use a RESTful client like Postman to talk to our APIs and manage the authentication flow and operate on response data with JavaScript as you like so as to build workflows such as to create a new project.
Last but not least before you can access BIM360 APIs make sure you provision access to your app.