29 Feb 2020

401 Unauthorized / 403 Forbidden

A developer ran into a 401 Unauthorized error (in the documentation described as Invalid authorization header) when going through the Extract Metadata From a Source File, so I went through it as well to test it, and ran into the exact same error by accident:

* upload completely sent off: 341 out of 341 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Access-Control-Allow-Origin: *
< Date: Sat, 29 Feb 2020 16:49:01 GMT
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< x-ads-app-identifier: platform-viewing-2020.01.01.97.5c80940-production
< x-ads-duration: 54 ms
< x-ads-startup-time: Thu Feb 27 13:06:33 UTC 2020
< x-ads-troubleshooting: The input urn is not authorized. Token Expired. Please refresh the token.
< Content-Length: 0
< Connection: keep-alive
< 
* Connection #0 to host developer.api.autodesk.com left intact

In my case it was because when copying the access token to the header, I accidentally placed an extra space after the "Bearer" string:

curl -X 'POST' -H 'Authorization: Bearer  eyJhbGciOiJIUzI1N...' -H 'Content-Type: application/json' ...

The "x-ads-troubleshooting: The input urn is not authorized. Token Expired. Please refresh the token." message was a bit misleading. ?

Got the same error if I modified the access token string in any other way.

As a test, I also tried what happens if I did not have an access token with the right scopes - i.e. missing data:write or data:create when doing translation.

In that case the error was 403 Forbidden saying that the token does not have the privilege for the request: 

* upload completely sent off: 341 out of 341 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Content-Type: text/plain
< Date: Sat, 29 Feb 2020 16:59:28 GMT
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Content-Length: 51
< Connection: keep-alive
< 
* Connection #0 to host developer.api.autodesk.com left intact
Token does not have the privilege for this request.

By the way, here is a blog post on making sure you have the right scopes: Debug access rights issues from access token

I also tested what message I get if I remove from my Forge App the support for the Model Derivative API and then try to run a translation. That as well gives a 403 Forbidden, but the developerMessage returned is quite clear on what the problem is:

* upload completely sent off: 344 out of 344 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Unauthorized
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Content-Length,x-ads-ul-ctx-client-id,x-ads-ul-ctx-caller-span-id,Content-Range,Access-Control-Allow-Origin,Authorization,x-ads-test,x-ads-ul-ctx-oxygen-id,x-ads-acm-scopes,x-ads-ul-ctx-head-span-id,If-Match,x-ads-ul-ctx-source,Accept-Encoding,If-Modified-Since,x-ads-acm-namespace,Access-Control-Allow-Credentials,x-ads-acm-groups,Session-Id,Content-Encoding,x-ads-ul-ctx-scope,Range,Accept,x-ads-ul-ctx-workflow-id,x-requested-with,Expect,x-ads-acm-check-groups,If-None-Match,Content-Type,x-csrf-token,x-ads-force, x-ads-force-all
< Access-Control-Allow-Methods: POST,GET,OPTIONS,HEAD,PUT,DELETE,PATCH
< Access-Control-Allow-Origin: 
< Content-Type: application/json
< Date: Sat, 29 Feb 2020 17:47:03 GMT
< Content-Length: 204
< Connection: keep-alive
< 
* Connection #0 to host developer.api.autodesk.com left intact
{ "developerMessage":"The client_id specified does not have access to the api product", "moreInfo": "https://forge.autodesk.com/en/docs/oauth/v2/developers_guide/error_handling/", "errorCode": "AUTH-001"}

 

 

Related Article

Posted By

Adam Nagy

Follow @AdamTheNagy Adam Nagy joined Autodesk back in 2005 and has been providing programming support, consulting, training and evangelism to external developers. He started his career in Budapest, then worked in Prague for 3 years and now lives in South England, UK. At the moment focusing on Inventor and Fusion 360, plus cloud and mobile related technologies. Adam has a degree in Software Engineering and has...