Get 3-legged Token with Implicit Grant

Before you begin, please follow the Create an App tutorial to create your app on APS. Specify your app’s callback URL and note your client ID and secret.

Familiarize yourself with the overall flow:

At some point in the UI of your web app, you will find that you need to get the end user’s consent to access APS resources on the user’s behalf. Depending on your app, you may do this when the user first starts using the app, or you may wait until your app actually needs to access the resource. Whatever the case, you will redirect the user to the GET authorize endpoint in their browser. For example, you might provide a link that looks like the following:

<a href="https://developer.api.autodesk.com/authentication/v1/authorize?response_type=token&client_id=obQDn8P0GanGFQha4ngKKVWcxwyvFAGE&redirect_uri=http%3A%2F%2Fsampleapp.com%2Foauth2%2Fcallback&scope=data:read">Click here to grant access to your data!</a>

That href attribute is a bit difficult to read. Let’s break it down:

• https://developer.api.autodesk.com/authentication/v1/authorize

  This is the endpoint URI and should be used verbatim.

• response_type=token

  This is what tells the OAuth server that you’re using the Implicit grant type and should be used verbatim.

• client_id=obQDn8P0GanGFQha4ngKKVWcxwyvFAGE

  Replace the value here with your app’s client ID.

• redirect_uri=http%3A%2F%2Fsampleapp.com%2Foauth2%2Fcallback

  This is the URL-encoded callback URL you want the user redirected to after they grant consent. In this example, that URL is http://sampleapp.com/oauth/callback. Replace the value here with the appropriate URL for your web app. Note that it must match the pattern specified for the callback URL in your app’s registration in the Forge portal.

• scope=data:read

  This requests the data:read scope. You can leave this value as it is for the purpose of this example, but in your own app, you should request one or more scopes you actually need. If you need to include multiple scopes, you can include them all as space-delimited items. For example: scope=data:create%20data:read%20data:write includes data:read, data:write, and data:create scopes.

Clicking on this link will take the end user to the Autodesk Sign In page:

After entering their Autodesk ID credentials and logging in, the user will be redirected to the OAuth consent page:

When consent has been granted, the user will be redirected back to your callback URL (redirect_uri) with the access token included as a fragment of the URL.

In this example, the user was redirected to http://sampleapp.com/oauth/callback#access_token=eyJhbGciOiJIUzI1NiIsImtpZCI6Imp3dF9zeW1tZXRyaWNfa2V5In0.eyJ1c2VyaWQiOiJIU0pHTTdUSFJIVUIiLCJleHAiOjE1MDE4OTI5MjgsInNjb3BlIjpbXSwiY2xpZW50X2lkIjoibk9oYnJPZW9HeHE4R2JBeFVvR2NIcXpEWmVqQWxxSUsiLCJhdWQiOiJodHRwczovL2F1dG9kZXNrLmNvbS9hdWQvand0ZXhwMTQ0MCIsImp0aSI6Im12bmwyZ2tKOEU4Tkd2S2JEVk00S3BHaTRCYkZtRndyUmVrd2NjT3B3RU1OTlVTdnZrNnljNllWSGo3d29WWjMifQ.Niy8dwBQVuhcaCTClZqttJleuKIoQtnS8yoT1ZJWgNg&token_type=Bearer&expires_in=86399.

Your code that serves up the /oauth/callback URL in your web app should return a web page with a snippet of JavaScript to extract the fragment

access_token=eyJhbGciOiJIUzI1NiIsImtpZ...&token_type=Bearer&expires_in=86399 from the URL and post the values to your server for parsing.

<html>
 <body>
  <script>
   var params = {},
       queryString = location.hash.substring(1),
       regex = /([^&=]+)=([^&]*)/g,
       m;
   while (m = regex.exec(queryString)) {
     params[m[1]] = m[2];
   }
   alert("your access token is : " + params["access_token"]);
  </script>
 </body>
</html>

You will then be able to use the access token to make calls to other API endpoints on behalf of the end user that require the data:read scope and have a “user context required” or “user context optional” authentication context.

After the token expires, You should repeat this flow to authorize the user again to acquire a new access token.