尝试在 Forge 上进行身份验证时是否可以绕过 CORS?
我们正在 Unity 中构建一个 WebGL 应用程序,并且希望在其中使用 Forge 的设计自动化 API。由于大多数设计自动化 API 都使用 Websocket API,因此非常简单。但是,身份验证是通过 HTTP 请求完成的,这当然会被 CORS 阻止。JS 代码如下所示:
Authentication: function () {
var postData = {
'client_id': 'the id',
'client_secret': 'the secret',
'grant_type': 'client_credentials',
'scope': 'code:all'
};
$.ajax({
url: 'https://developer.api.autodesk.com/authentication/v1/authenticate',
type: 'POST',
contentType: 'application/x-www-form-urlencoded',
data: postData,
}).done(function (data, textStatus, jqXHR) {
console.log("worked", data, textStatus, jqXHR);
console.log("data", data);
console.log(jqXHR.responseJSON);
}).fail(function (jqXHR, textStatus, errorThrown) {
console.log("failed", jqXHR, textStatus, errorThrown);
console.log(jqXHR.responseJSON);
})
}
参考文档: https://forge.autodesk.com/en/docs/oauth/v1/reference/http/authenticate-POST/
我们不确定在这种情况下如何绕过 CORS 以及如何获取承载来自 Forge 的令牌..
We are building a WebGL application in Unity, and we want to use Forge's Design Automation API in it. As most of the Design Automation API is using a Websocket API, it's pretty straightforward. BUT, Authentication is being done with a HTTP request, which is of course blocked by CORS.. The JS code looks like this:
Authentication: function () {
var postData = {
'client_id': 'the id',
'client_secret': 'the secret',
'grant_type': 'client_credentials',
'scope': 'code:all'
};
$.ajax({
url: 'https://developer.api.autodesk.com/authentication/v1/authenticate',
type: 'POST',
contentType: 'application/x-www-form-urlencoded',
data: postData,
}).done(function (data, textStatus, jqXHR) {
console.log("worked", data, textStatus, jqXHR);
console.log("data", data);
console.log(jqXHR.responseJSON);
}).fail(function (jqXHR, textStatus, errorThrown) {
console.log("failed", jqXHR, textStatus, errorThrown);
console.log(jqXHR.responseJSON);
})
}
The documentation for reference: https://forge.autodesk.com/en/docs/oauth/v1/reference/http/authenticate-POST/
We are not sure how to bypass CORS in this situation and how to get the bearer token from Forge..
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我不认为你想从浏览器进行 2-legged oauth。这意味着您将您的客户端 ID/秘密分发给使用您网站的每个人。
您应该使用 3 足 oauth。例如,请参见 https://github.com/zhuliice/ forge-designautomation-websocket-api/tree/main/browser
I don't think you want to do 2-legged oauth from the browser. This means that you distribute your client id/secret to everyone who uses your website.
You should use 3-legged oauth. See for example, https://github.com/zhuliice/forge-designautomation-websocket-api/tree/main/browser
看起来您正在从浏览器上的网页请求 2 足访问令牌。不幸的是,这是不允许的,因为正如 Albert 提到的,您的客户端 ID 和秘密将暴露给通过浏览器开发控制台查看您的 JS 文件而使用您网站的每个人。这对您的网站来说将是一个致命的安全问题。
我建议您将 OAuth 工作流程移至后端(服务器端),提供端点服务,并使用 AJAX 调用如下例所示。
Looks like you're asking for a 2-legged access token from the web page on the browser. Unfortunately, it's not allowed since as Albert mentioned, your client id and secret will be exposed to everyone who uses your website by looking at your JS files via the browser dev console. It would be a fatal security issue to your website.
I would advise you to move your OAuth workflow to your backend (server-side), serve an endpoint, and get the necessary access tokens from the frontend (browser side) using AJAX call like the below sample.