“使用授权代码授予获取三足令牌”不是 OAuth 2.0 RFC 投诉并生成错误 400
“Get a 3-Legged Token with Authorization Code Grant” is not OAuth 2.0 RFC complaint and generates an Error 400
我已经实现了能够使用授权代码宏类型通过授权过程获取 OAuth 访问令牌的应用程序。我已经成功地将它与 Google API 服务一起使用,但是当我将它与 AutoDesk Forge API 服务一起使用时我遇到了问题。我怀疑 OAuth AutoDesk 不能很好地确认 OAuth 2.0 规范。
我的应用程序发出此 HTTP POST 形状请求:
POST /authentication/v1/gettoken HTTP/1.1
Host: developer.api.autodesk.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
这里我发送 client_id 和 client_secret 作为基本 HTTP 授权的用户名和密码。但是我得到一个错误:
{"developerMessage":"The required parameter(s) client_id,client_secret not present in the request","userMessage":"","errorCode":"AUTH-008","more info":"http://developer.api.autodesk.com/documentation/v1/errors/AUTH-008"}
但是,OAuth 规范在第 2.3.1 章中说 (https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1):
The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.
您可以在第 4.2.3 章中看到服务器必须支持的此类请求的示例 (https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3):
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
而且 AutoDesk 根据其文档希望它有所不同:
curl -v 'https://developer.api.autodesk.com/authentication/v1/gettoken'
-X 'POST'
-H 'Content-Type: application/x-www-form-urlencoded'
-d '
client_id=obQDn8P0GanGFQha4ngKKVWcxwyvFAGE&
client_secret=eUruM8HRyc7BAQ1e&
grant_type=authorization_code&
code=wroM1vFA4E-Aj241-quh_LVjm7UldawnNgYEHQ8I&
redirect_uri=http://sampleapp.com/oauth/callback
'
(在这里,如您所见,AutoDesk 期望 client_id 和 client_secret 出现在 POST 请求正文中。)这是服务器可能支持的另一种方式,如再次写入在第 2.3.1 章中(https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1):
Alternatively, the authorization server MAY support including the
client credentials in the request-body
那么,AutoDesk Forge API 服务只支持可选方式,显然不支持强制方式,我说得对吗?
So, am I right that AutoDesk Forge API service only supports optional way and apparently doesn’t support mandatory way?
肯定 - 可以找到唯一受支持的身份验证格式 here。
我已经实现了能够使用授权代码宏类型通过授权过程获取 OAuth 访问令牌的应用程序。我已经成功地将它与 Google API 服务一起使用,但是当我将它与 AutoDesk Forge API 服务一起使用时我遇到了问题。我怀疑 OAuth AutoDesk 不能很好地确认 OAuth 2.0 规范。
我的应用程序发出此 HTTP POST 形状请求:
POST /authentication/v1/gettoken HTTP/1.1
Host: developer.api.autodesk.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
这里我发送 client_id 和 client_secret 作为基本 HTTP 授权的用户名和密码。但是我得到一个错误:
{"developerMessage":"The required parameter(s) client_id,client_secret not present in the request","userMessage":"","errorCode":"AUTH-008","more info":"http://developer.api.autodesk.com/documentation/v1/errors/AUTH-008"}
但是,OAuth 规范在第 2.3.1 章中说 (https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1):
The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.
您可以在第 4.2.3 章中看到服务器必须支持的此类请求的示例 (https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3):
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
而且 AutoDesk 根据其文档希望它有所不同:
curl -v 'https://developer.api.autodesk.com/authentication/v1/gettoken'
-X 'POST'
-H 'Content-Type: application/x-www-form-urlencoded'
-d '
client_id=obQDn8P0GanGFQha4ngKKVWcxwyvFAGE&
client_secret=eUruM8HRyc7BAQ1e&
grant_type=authorization_code&
code=wroM1vFA4E-Aj241-quh_LVjm7UldawnNgYEHQ8I&
redirect_uri=http://sampleapp.com/oauth/callback
'
(在这里,如您所见,AutoDesk 期望 client_id 和 client_secret 出现在 POST 请求正文中。)这是服务器可能支持的另一种方式,如再次写入在第 2.3.1 章中(https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1):
Alternatively, the authorization server MAY support including the
client credentials in the request-body
那么,AutoDesk Forge API 服务只支持可选方式,显然不支持强制方式,我说得对吗?
So, am I right that AutoDesk Forge API service only supports optional way and apparently doesn’t support mandatory way?
肯定 - 可以找到唯一受支持的身份验证格式 here。