20 Sep 2017

Security Recommendations for BIM 360 App Developers - Select account

Default blog image

Following up from Security Recommendations for BIM 360 App Developers article, the question was on how to implement a secure provisioning on your app. This article focus on the steps to allow an end-user to securely select an account on your application. For this example, let's assume a workflow where your application needs a BIM 360 Project specific information, like start & end dates, construction or service type, or even the address. Your app will need to:

  1. Provision your app Forge Client ID with the BIM 360 Docs (just one time)
  2. Authorize user to obtain a 3-legged token (first time or refresh for returning users)
    1. Call Data Management GET Hubs
    2. Filter BIM 360 Docs hubs: those with ID starting with b. or where hub.attributes.extension.type equals hubs:autodesk.bim360:Account. Note these are the Account IDs the user has access to, just remove the prefix b. to obtain the account ID.
    3. Call Data Management GET Projects, these are the Projects the user has access to
  3. Authenticate a 2-legged token
    1. Using the HubID/AccountID obtained on 1.2. and the ProjectId from 1.3.
    2. Call BIM 360 GET Project
    3. Read the information you need, like dates, types or address

As permissions may change, it's recommended to NOT store HubID/AccountID or ProjectID for a given user. For instance, if the contractor finishes the job, the BIM 360 Account Admin may revoke his/her access, so if your app always obtains the Hubs/Projects with the 3-legged token, it will be up-to-date. You app can (and should) keep the refresh token for returning users.

This approach will ensure your app keep data secure and private.

Related Article