0

We have an inquiry from our client, to enable Autodesk Model Viewer from within our App. The first step is to implement OAuth2 authentication (2 legged). I followed Forge Autodesk tutorials, but this is completely new to me, and I cannot configure that to work. I do http request (using jQuery) from our App, passing client_id and client_secret, grant_type and a scope. When looking on the developer menu (F12) - I can see that request is hitting their server and returns with the access_token, expire time, authorization "Bearer" with the status 200. So far so good.

I understand that now I need to make a call back to the API and pass this access_token I received. And here is where I lost: console shows me error, Cross origin ... And the success part of http request is not fireing (in http request success part I'm trying to redirect user to the Model Viewer url + access_token we just received). But it is never fires. Was digging forums and tutorials but can't find any good sample or explanation what I'm doing wrong. Below is my code example:

$.post("https://developer.api.autodesk.com/authentication/v1/authenticate", 
     {
      client_id: 'here_is_a_client_id',
      client_secret: 'here_is_a_client_secret',
      grant_type: 'client_credentials',
      scope: 'viewables:read'
    },
   function(data, status){
    console.log("Data: " + data);
window.location.href = 'https://viewer.autodesk.com/id/here_is_a_long_id_number&Authorization=Bearer&' + data;

});

Any help highly appreciated. Also, I was trying to follow Autodesk tutorials using Node.js, but again, after seeing that access_token get back from their server, can't make a callback and attach this access_token to it. New to all these Authorization/Authentication/Tokens so can't figure out the way it works. Thanks in advance.

Improve this question

1 Answer 1

Reset to default
0

I could advice you how to avoid this Cross Origin error, but it is critical not to and very dangerous to authorise your application on the client side. Exposing you client secret key will give everyone the right to access your account and spend cloud credits on your behalf. And access all your content. That is the reason you do should not have that approach.

You should never expose the client secret, neither an read/write scoped access token on a client, those should resides on the server, and server only. The only access token you could eventually see on the client should be a viewables:read scoped token only. And even when using a viewables:read token, I prefer to use a proxy instead myself (see here).

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks cyrille for your comments, it does make sense what you've saying. But for now, I'm simply trying to make that work and pass this 2-legged Auth thing so I can actually see that access_token received and then re-direct user to the Model Viewer page passing this access_token, so the user don't have to type in his/her username and password. And I can't at this point, afetr I received access_token, how I can call back to the Autodesk Model Viewer page and pass this token (http success part of my code wont work), any clue ? Thanks for your response.
You cannot obtain a Forge Token via client-side scripting without the use of a Chrome extension such as 'Allow-Control-Allow-Origin: *' or 'Moesif Orign & CORS Changer'; without these extension this code will throw a CORS error. This is by design. The best thing it to use this basic sample and instantiate your own viewer. I want to repeat what you are trying to do is a very bad idea in terms of securing your account, doing this means giving your house keys to anyone, including thiefs.
I followed this tutorials, but ended up on not working copy. What I'm up to, is to create simple 2-legged Authentication process, where only 2-legged Auth (post and get request I believe) and in success user re-directed to our existing App (Model Viewer page) within the Forge Autodesk. I'm new to Node.js and I'm strugling to implement just a simpliest Auth and show the Model Viewer page, without any fancy Upload, Translate etc. etc. Hope it does make sense, and if you can point on some good example it would be really appretiated. Thanks
The tutorial works, you can also try models.autodesk.io - all samples are posted on github.com/Autodesk-Forge - if you want we can do a remote session, and I can show you - email me cyrille at autodesk.com, and we will connect.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.