I'm trying to create a bucket with the POST buckets endpoint. However, I cannot seem to do this: When attempting to do so with a Three-legged token, I receive the error:
"Only 2 legged service tokens are allowed to access this api."
But when I use a two-legged token (with the same scopes):
"Token does not have the privilege for this request."
What am I doing wrong? I'm using NodeJS with the Request library.
You might want to check your Token have the correct scopes in this case you need bucket:create as part of your token scopes.
More about it here. https://forge.autodesk.com/en/docs/oauth/v2/developers_guide/scopes/
Related
I want to test the "Third-party applications" access using Postman.
When trying to obtain an OAuth token I am receiving a '404 Not Found' from Foundry. I suspect that I've configured the wrong URLs for the OAuth2 endpoints.
From reading the documentation
https://<foundryhost.com>/workspace/documentation/product/foundry-backend/security-api#oauth2-api-endpoints
I put together the following 2 endpoints:
Auth URL: https://<foundryhost.com>/api/oauth2/authorize
Access Token URL: https://<foundryhost.com>/api/oauth2/token
Are those correct or am I missing something?
You're on the right track with the service context path - in this case it's multipass - which is Foundry's authentication service.
Try this:
authorize_url=FOUNDRY_STACK + 'multipass/api/oauth2/authorize',
access_token_url=FOUNDRY_STACK + 'multipass/api/oauth2/token'
Looks like the docs could do with some clarification. Will get that fixed.
Another gotcha to remember with OAuth2 on Foundry: the refresh token rotates on use - remember to save both when you request a new access token (this is compliant with the standard, but it is optional).
In our application we have a angular frontend app which has Autodesk login for BIM 360 document. After user is logged in frontend we are retrieving 3 legged authorization code from Autodesk and pass it to C# backend where we are using the code to get the access_token and refresh token.
We are using this to get the authorization code -
https://developer.api.autodesk.com/authentication/v1/authorize?response_type=code&client_id={client_Id}&redirect_uri={callbakcurl}&scope=data:read
Using this to get access_token from the code -
https://developer.api.autodesk.com/authentication/v1/gettoken
We are getting the below error -
{
"developerMessage": "The authorization code/refresh token is expired or invalid/redirect_uri must have the same value as in the authorization request.",
"errorCode": "AUTH-004",
"more info": "https://forge.autodesk.com/en/docs/oauth/v2/developers_guide/error_handling/"
}
We make sure that our redirect_url is correct/same to get the authorization code and get the access_token.
Can anyone help me with how long this authorization code is valid for?
A couple of things to check:
As #KingJ mentioned already, make sure that your redirect URL is url-encoded; same for the scopes, I believe the : symbol (and spaces if there are multiple scopes) should also be encoded
Note that the code you obtain from the first HTTP call is only valid for a very short amount of time (units of seconds); you should make the second HTTP call as soon as you have the code available, otherwise it'll expire
What is the body of the 2nd request? Are you setting all the params marked as required in the docs?
I have a GKE Backend with GLCB(using Ingress-GCP, routing done based on path to various bakend service). My need is to verify the token in the header and pass the request to the backend iff it is valid token. And to check the validity of token i need to pass to the firebase. Once firebase say's OK then route to the correct backend.
I was initially using ingress-GCE but seems this can be only achieved by using Istio. Can any one suggest how to do istio based end user authentication ?
You can use AuthorizationPolicy and RequestAuthentication to do this. There is example about that in istio documentation.
What Istio does in the RequestAuthentication ?
As mentioned here
RequestAuthentication defines what request authentication methods are supported by a workload. If will reject a request if the request contains invalid authentication information, based on the configured authentication rules. A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity. To restrict access to authenticated requests only, this should be accompanied by an authorization rule.
As mentioned here
issuer -> Identifies the issuer that issued the JWT. See issuer A JWT with different iss claim will be rejected.
Example: https://foobar.auth0.com Example: 1234567-compute#developer.gserviceaccount.com
jwksUri -> URL of the provider’s public key set to validate signature of the JWT. See OpenID Discovery.
Example: https://www.googleapis.com/oauth2/v1/certs
There are 2 examples of jwtRules and jwskUri for firebase.
https://github.com/envoyproxy/envoy/issues/5702
https://discuss.istio.io/t/istio-authentication-with-firebase/468/6
Additionall resources:
https://cloud.google.com/solutions/authenticating-cloud-run-on-gke-end-users-using-istio-and-identity-platform
I'm trying to pubhlish a project using this guide - https://forge.autodesk.com/en/docs/data/v2/tutorials/publish-model/
I am able to get the docs hub ID for the expected hub (using 3 legged token, after having Autodesk provision the b360 docs account, and setting up integration w/ forge app), and pass this into the call to get the projects (using same token, or new token) using this guide - https://forge.autodesk.com/en/docs/data/v2/reference/http/hubs-hub_id-projects-GET/
I get back a response 404 error using the hub ID provided in the GET hubs call that starts with b.xxx from the GET hubs
{
"developerMessage": "The requested resource does not exist.",
"moreInfo": "https://forge.autodesk.com/en/docs/oauth/v2/developers_guide/error_handling/",
"errorCode": ""
}
I've tried this with a. as well, instead of b. and also no prefix on hub ID with no luck. I verified that this Id matches what is shown in the account admin settings online as well.
The get request looks like this, and includes authorization token in format Bearer {{token}} where {{token}} is the (same) variable for the token that works when getting hub ID's.
https://developer.api.autodesk.com/project/v1/hubs/b.e3a26052-6b48-4a03-9115-xxxxxxxxxxx/projects
Is my format incorrect, or is there something else going on?
The request looks ok, incl. the hub ID (the b. prefix must be there). One thing to check for is whether the actual user you're using to obtain the 3-legged token has access to any projects inside this hub.
Also, what happens when you try the GET hubs/:hub_id endpoint? Can you see the hub information or do you get 404 as well?
All the incoming request to api management will have a token in a header, before backend service is hit token has to be verified. To verify token a GET tokenVallidationApi is to be hit and the response will tell us whether the token is valid or not. If the response exists for token validation , we have to take out few entries from response and enrich the body/header to hit the backend api. I am very new to api management tool and just figuring out how can we achieve this with azure api management?
This is possible. You would have to implement your policies like something below
1. Validate Token
For this, you would first call the validation endpoint using send-request. You could also implement caching using value caching policies for multiple requests.
The doc also highlights how you can extract value from the response body.
2. Transform Body & Headers
For headers, you would use the set-header policy and for the body, you would use the set-body policy.