“Get a 3-Legged Token with Authorization Code Grant” is not OAuth 2.0 RFC complaint and generates an Error 400

0
votes

I've implemented application capable of acquiring OAuth access token through authorization process using authorization code grand type. I've used it successfully with Google API services but I have a problem when I use it with AutoDesk Forge API services. I have suspicion that OAuth AutoDesk does not confirm well with OAuth 2.0 specification.

My application issues this HTTP POST request of the shape:

POST /authentication/v1/gettoken HTTP/1.1
Host: developer.api.autodesk.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

Here I send client_id and client_secret as username and password for Basic HTTP authorization. But I get an error:

{"developerMessage":"The required parameter(s) client_id,client_secret not present in the request","userMessage":"","errorCode":"AUTH-008","more info":"http://developer.api.autodesk.com/documentation/v1/errors/AUTH-008"}

However, OAuth specification says in chapter 2.3.1 (https://tools.ietf.org/html/rfc6749#section-2.3.1):

The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.

You can see example of such request that server MUST support in chapter 4.2.3 (https://tools.ietf.org/html/rfc6749#section-4.1.3):

 POST /token HTTP/1.1
 Host: server.example.com
 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
 Content-Type: application/x-www-form-urlencoded

 grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
 &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

And AutoDesk wants it differently as per its documentation:

  curl -v 'https://developer.api.autodesk.com/authentication/v1/gettoken'
  -X 'POST'
  -H 'Content-Type: application/x-www-form-urlencoded'
  -d '
    client_id=obQDn8P0GanGFQha4ngKKVWcxwyvFAGE&
    client_secret=eUruM8HRyc7BAQ1e&
    grant_type=authorization_code&
    code=wroM1vFA4E-Aj241-quh_LVjm7UldawnNgYEHQ8I&
    redirect_uri=http://sampleapp.com/oauth/callback
  '

(Here, as you can see, AutoDesk expects client_id and client_secret to be in the POST request body.) That is additional way that server MAY support as written again in chapter 2.3.1 (https://tools.ietf.org/html/rfc6749#section-2.3.1):

Alternatively, the authorization server MAY support including the
client credentials in the request-body

So, am I right that AutoDesk Forge API service only supports optional way and apparently doesn’t support mandatory way?

1
oauth-2.0autodesk-forge

1 Answers

1
votes

So, am I right that AutoDesk Forge API service only supports optional way and apparently doesn’t support mandatory way?

Affirmative - the only authentication format that's supported can be found here.