Continuing from the previous post about 2-legged authentication, let’s take a look at 3-legged authentication or more precisely OAuth 2.0 3-legged authentication with Forge next. My colleague, Adam Nagy, has already written a blog post about calling 3-legged using Postman. My rewrite will be with additional comments with BIM 360 in mind.
BIM 360 Team and Docs support 3-legged. HQ does not.
- You will need to create an app in the developer portal.
- To use BIM 360 Docs, you will need to integrate/register your client ID in HQ.
- Have Postman installed.
3-legged authentication is used to access data in BIM 360 Team and Docs in user context. The during the authentication process, you will be prompted to login using the Autodesk account. You can use access token to access only the data that the given user is permitted.
3-legged requires two calls. Postman provides a nice utility to make this process simple.
Method and URL:
- GET https://developer.api.autodesk.com/authentication/v1/authorize
- POST https://developer.api.autodesk.com/authentication/v1/gettoken
The first one is to redirect the user to obtain the user consent to authorize the app to access your data on your behalf. The second is to get an access token.
Steps below shows a sample usage of Postman calling 3-legged authentication to get a token.
(1) Go to Authorization tab. Choose “OAuth 2.0” as the type. Press “Get New Access Token” button (image below).
(2) In the “Get New Access Token” dialog (image below), fill in the information as follows:
- Token Name = <this can be any name. You can use it to access the token generated later using this name>
- Auth URL = https://developer.api.autodesk.com/authentication/v1/authorize
- Access Token URL = https://developer.api.autodesk.com/authentication/v1/gettoken
- Client ID = <copy your client ID here>
- Client Secret = <copy your client secret here>
- Scope = data:read <or other scope as needed>
- Grant Type = Authorization Code
But don’t press “Request Token”, yet.
Notice the Callback URL: https://www.getpostman.com/oauth2/callback, and below, it says “Set this as the callback URL in your app settings page.”
(3) Before we press “Request Token”, you need to set callback URL in the app you created in the Autodesk developer portal.
Go to the developer portal >> My Apps:
Edit your app and set callback URL as https://www.getpostman.com/oauth2/callback. Save your edit.
(4) Finally in Postman “Get New Access Token” dialog, press “Request Token”. If everything goes well, you will be prompted to login using Autodesk account login page (image below) followed by a consent page.
(5) When everything goes as expected, you will see an access token along with refresh token, token_type and expiration time length (see the image below).
You can copy and paste the access token from here. The “Use Token” button will copy the token in the Header.
The image below show how the header tab looks like after the token is added to the header. Notice that “Bearer” is prefixed to the token.
You are ready to use the token to access data.
Note: You may wonder if there is a way to add the token to subsequent calls automatically, just like we did with 2-legged. The answer seems to be “no” at a moment. See this post for discussion.