I have tried the endpoints to get projects and users with a three legged token, and in both cases I get a 403 with a response body that looks like:
{
"code": 1003,
"message": "Only support 2 legged access token."
}
This seems unequivocal, but doesn't seem to be consistent with the API documentation. Is access really only available using a 2 legged token or have I missed something?
Just to be clear, the endpoints I'm playing with are:
GET https://developer.api.autodesk.com/hq/v1/accounts/:account_id/projects
and
GET https://developer.api.autodesk.com/hq/v1/accounts/:account_id/users
The documentation states "Must be Bearer , where is obtained via OAuth", but there is no mention that only two legged authentication tokens are supported.
Yes, they are BIM360 HQ APIs (well known as Account Admin APIs), part of BIM360 API as I mentioned in the comment above.
Unfortunately, Account Admin APIs only allow access with 2 legged access token now. In contrast, other APIs like Issues, RFIs, and Checklists support 3 legged access token and 3 legged access token with the uid.
Note:
Keyword user context required in the Authentication Context of the documentation means that it requires acting with a 3-legged OAuth token or a 2-legged OAuth token with user impersonation.
Keyword app only means that it supports 2-legged OAuth token only.
Related
Am trying to access forge api endpoint using 2- legged authentication token, but at certain point of time my token becomes invalid or expired. Is that any option to refresh/ increase token expire time in 2- legged authentication process?
For 2-legged token, once they expire, you have no choice but to request another one. That being said, I think this will be managed for you if you use one of the forge/design-automation sdk.
I am currently following "Upload Files to BIM 360 Document Management" and I'm stuck on step 6 where I'm suppose to upload to the client's bucket using 3-legged access token.
So...am I doing something wrong for step 6, or the guide is outdated?
From reading the PUT buckets/:bucketKey/objects/:objectName documentation, only 2-legged access token can access this API.
expected:
200 (and whatever json data it returns)
actual:
403
{
"reason": "Only 2 legged service tokens are allowed to access this api."
}
Unfortunately some of the OSS (bucket) endpoints only support 2 legged auth and PUT Object is obviously one of them so you will need another 2 legged token for the upload...
The guide is not exactly outdated but apparently that's an oversight there...
I'm the administrator of a Bim360 Docs Hub,and i'm trying to retrieve some data from the forge API. I've already created a test app, and i get a Bim 360 Account Id.
I'm not able to get an authentication bearear token (OAuth), to make simple get requests towards projects.
Where do i get the auth token ?
Thanks
See tutorial here to aquire OAuth tokens and note that you will need different permutations of OAuth scopes (esp. data:read data:write etc.) for different operations, as is specified in the docs of each and every API, see an example here.
You may use a RESTful client like Postman to talk to our APIs and manage the authentication flow and operate on response data with JavaScript as you like so as to build workflows such as to create a new project.
Last but not least before you can access BIM360 APIs make sure you provision access to your app.
I know Autodesk Forge "Object Storage Service" (OSS) requires a 2-legged security token...
I already use a 3-legged token to access Forge "Project Service" and "Data Service" APIs: is it possible to convert or request a 2-legged token from a 3-legged token?
If you try to use a 3-legged token with OSS you get a invalid token error.
I would like to avoid using two different authentication at the same time...
Thanks!
Unfortunately token exchange is not possible - I checked the oAuth 2.0 specification, and I don't think the flow you describe is a valid flow anyway. Remember 2 legged is for application credentials, whereas 3 legged is to access a specific user content.
No, a 2-legged token gives you the access to developer's resources. A 3-legged token gives you access to the logged in user's resources. They are not designed to be interchangeable.
What I understand is Enterprise API from Box works only with server-server JWT auth and not like OAuth2 based authentication.
Box integrations which haveOAuth2 based authentication support only Content API and not the Enterprise API.
Is there way to have OAuth & Ebterprise API at the same time? (I essentially want to manage users & groups any third party enterprise)
Any thoughts/pointers? Thanks in advance!
What I understand is Enterprise API from Box works only with server-server JWT auth and not like OAuth2 based authentication.
This is not correct, though I can see how you could arrive at that understanding. You can work with the Box Enterprise API using traditional 3-Legged OAuth. In fact, for many years 3-Legged OAuth was the only way to work with the Box API.
In order for a 3-Legged OAuth access token to make Enterprise API calls:
The appropriate Enterprise scopes must be selected in the app configuration.
The token must have been issued for a user with enterprise admin/co-admin privileges.
The relationship between JWT auth and the Enterprise API is one of convenience. Enterprise API apps are often non-interactive server-side scripts and/or scaled out to multiple processes. In these scenarios JWT is much easier to work with than 3-Legged OAuth.