Autodesk Forge：使用POST / XMLHttpRequest和Javascript获取访问令牌吗？

Question

I am new to the Autodesk API's, and trying to create the Viewer using javascript on my website, which is hosted by a 3rd party (think Weebly, Squarespace, etc.) that supports JavaScript. I can successfully get an access token if I use Postman to make the POST call to https://developer.api.autodesk.com/authentication/v1/authenticate , but that doesn't help me from a general use perspective. When I try to use XMLHttpRequest and make the same POST call from my javascript, I get an error related to CORS ("No 'Access-Control-Allow-Origin' header is present on the requested resource."). I can't find anywhere where it seems possible to use javascript to call out to Autodesk's API's and create an Autodesk viewer on my own website. Is this possible using javascript alone? Any info would be great.

I am working from the step-by-step API tutorial at https://developer.autodesk.com/en/docs/viewer/v2/tutorials/basic-viewer/ , which is great, but doesn't seem to indicate how an actual POST call is worked into your application, instead of getting the token via Postman or some other testing tool.

JavaScript:

function getToken() { 
    var xhttp = new XMLHttpRequest();
    var url = "https://developer.api.autodesk.com/authentication/v1/authenticate"; 
    var params = "client_id=MY_CLIENT_ID&client_secret=MY_CLIENT_SECRET&grant_type=client_credentials&scope=data:read";
    xhttp.open("POST", url, true);
    xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); 
    xhttp.send(params);
}

Thanks.

Answer 1

You cannot, this is not supported. Autodesk Forge only supports OAuth from the server side, which is more secure. Explaining, your approach requires the Client ID & Secret to be exposed on the client, so the API blocks it via CORS header.

Answer 2

If you are using one of the following programming languages: JavaScript (node.js), .Net, Java, Ruby, simply use the existing SDK. It will make things much easier.

See here for more details.