“使用授权码授予获取 3 条腿令牌”不是 OAuth 2.0 RFC 投诉并生成错误 400

Question

I've implemented application capable of acquiring OAuth access token through authorization process using authorization code grand type. I've used it successfully with Google API services but I have a problem when I use it with AutoDesk Forge API services. I have suspicion that OAuth AutoDesk does not confirm well with OAuth 2.0 specification.

My application issues this HTTP POST request of the shape:

POST /authentication/v1/gettoken HTTP/1.1
Host: developer.api.autodesk.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

Here I send client_id and client_secret as username and password for Basic HTTP authorization. But I get an error:

{"developerMessage":"The required parameter(s) client_id,client_secret not present in the request","userMessage":"","errorCode":"AUTH-008","more info":"http://developer.api.autodesk.com/documentation/v1/errors/AUTH-008"}

However, OAuth specification says in chapter 2.3.1 ( https://tools.ietf.org/html/rfc6749#section-2.3.1 ):

The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.

You can see example of such request that server MUST support in chapter 4.2.3 ( https://tools.ietf.org/html/rfc6749#section-4.1.3 ):

 POST /token HTTP/1.1
 Host: server.example.com
 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
 Content-Type: application/x-www-form-urlencoded

 grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
 &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

And AutoDesk wants it differently as per its documentation:

  curl -v 'https://developer.api.autodesk.com/authentication/v1/gettoken'
  -X 'POST'
  -H 'Content-Type: application/x-www-form-urlencoded'
  -d '
    client_id=obQDn8P0GanGFQha4ngKKVWcxwyvFAGE&
    client_secret=eUruM8HRyc7BAQ1e&
    grant_type=authorization_code&
    code=wroM1vFA4E-Aj241-quh_LVjm7UldawnNgYEHQ8I&
    redirect_uri=http://sampleapp.com/oauth/callback
  '

(Here, as you can see, AutoDesk expects client_id and client_secret to be in the POST request body.) That is additional way that server MAY support as written again in chapter 2.3.1 ( https://tools.ietf.org/html/rfc6749#section-2.3.1 ):

Alternatively, the authorization server MAY support including the
client credentials in the request-body

So, am I right that AutoDesk Forge API service only supports optional way and apparently doesn't support mandatory way?

Answer 1

So, am I right that AutoDesk Forge API service only supports optional way and apparently doesn't support mandatory way?

Affirmative - the only authentication format that's supported can be found here .