[英]“Get a 3-Legged Token with Authorization Code Grant” is not OAuth 2.0 RFC complaint and generates an Error 400
I've implemented application capable of acquiring OAuth access token through authorization process using authorization code grand type.我已经实现了能够通过使用授权码大类型的授权过程获取 OAuth 访问令牌的应用程序。 I've used it successfully with Google API services but I have a problem when I use it with AutoDesk Forge API services.
我已经成功地将它与 Google API 服务一起使用,但是当我将它与 AutoDesk Forge API 服务一起使用时出现问题。 I have suspicion that OAuth AutoDesk does not confirm well with OAuth 2.0 specification.
我怀疑 OAuth AutoDesk 与 OAuth 2.0 规范不能很好地确认。
My application issues this HTTP POST request of the shape:我的应用程序发出此形状的 HTTP POST 请求:
POST /authentication/v1/gettoken HTTP/1.1
Host: developer.api.autodesk.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
Here I send client_id and client_secret as username and password for Basic HTTP authorization.在这里,我发送 client_id 和 client_secret 作为基本 HTTP 授权的用户名和密码。 But I get an error:
但我收到一个错误:
{"developerMessage":"The required parameter(s) client_id,client_secret not present in the request","userMessage":"","errorCode":"AUTH-008","more info":"http://developer.api.autodesk.com/documentation/v1/errors/AUTH-008"}
However, OAuth specification says in chapter 2.3.1 ( https://tools.ietf.org/html/rfc6749#section-2.3.1 ):但是,OAuth 规范在第 2.3.1 章( https://tools.ietf.org/html/rfc6749#section-2.3.1 )中说:
The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.
You can see example of such request that server MUST support in chapter 4.2.3 ( https://tools.ietf.org/html/rfc6749#section-4.1.3 ):您可以在第 4.2.3 章( https://tools.ietf.org/html/rfc6749#section-4.1.3 )中看到服务器必须支持的此类请求的示例:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
And AutoDesk wants it differently as per its documentation: AutoDesk 根据其文档希望它有所不同:
curl -v 'https://developer.api.autodesk.com/authentication/v1/gettoken'
-X 'POST'
-H 'Content-Type: application/x-www-form-urlencoded'
-d '
client_id=obQDn8P0GanGFQha4ngKKVWcxwyvFAGE&
client_secret=eUruM8HRyc7BAQ1e&
grant_type=authorization_code&
code=wroM1vFA4E-Aj241-quh_LVjm7UldawnNgYEHQ8I&
redirect_uri=http://sampleapp.com/oauth/callback
'
(Here, as you can see, AutoDesk expects client_id and client_secret to be in the POST request body.) That is additional way that server MAY support as written again in chapter 2.3.1 ( https://tools.ietf.org/html/rfc6749#section-2.3.1 ): (在这里,如您所见,AutoDesk 期望 client_id 和 client_secret 在 POST 请求正文中。)这是服务器可能支持的另一种方式,如第 2.3.1 章( https://tools.ietf.org/html /rfc6749#section-2.3.1 ):
Alternatively, the authorization server MAY support including the
client credentials in the request-body
So, am I right that AutoDesk Forge API service only supports optional way and apparently doesn't support mandatory way?那么,我认为 AutoDesk Forge API 服务只支持可选方式而显然不支持强制方式是对的吗?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.