Following up from Security Recommendations for BIM 360 App Developers article, the question was on how to implement a secure provisioning on your app. This article focus on the steps to allow an end-user to securely select an account on your application. For this example, let's assume a workflow where your application needs a BIM 360 Project specific information, like start & end dates, construction or service type, or even the address. Your app will need to:
- Provision your app Forge Client ID with the BIM 360 Docs (just one time)
- Authorize user to obtain a 3-legged token (first time or refresh for returning users)
- Call Data Management GET Hubs
- Filter BIM 360 Docs hubs: those with ID starting with b. or where hub.attributes.extension.type equals hubs:autodesk.bim360:Account. Note these are the Account IDs the user has access to, just remove the prefix b. to obtain the account ID.
- Call Data Management GET Projects, these are the Projects the user has access to
- Authenticate a 2-legged token
- Using the HubID/AccountID obtained on 1.2. and the ProjectId from 1.3.
- Call BIM 360 GET Project
- Read the information you need, like dates, types or address
As permissions may change, it's recommended to NOT store HubID/AccountID or ProjectID for a given user. For instance, if the contractor finishes the job, the BIM 360 Account Admin may revoke his/her access, so if your app always obtains the Hubs/Projects with the 3-legged token, it will be up-to-date. You app can (and should) keep the refresh token for returning users.
This approach will ensure your app keep data secure and private.