0

Good morning, I am trying to develop a webapp using Blazor and Net5. I have successfully implemented the 3 legged authentication system and attached the token to the default header for further requests. I have implemented also the 2 legged authentication request in the same process and saved both in the local storage.

Now I need to start to call some Data Management service to store and retrieve models and also submit work items to design automation. All of these will require to send the bearer token together with the request. I would like to manage this bit of the application on the server side and the question is: is there a way to use the token on the server side other then just try to retrieve that from the local storage?

Also, is is possible to setup two different HttpClient in the client app to be able to attach two different tokens and then use the same http client in the server-side Blazor? I assume I can not inject a service from the client to the server thou. I can easily do it in the client side using DI

public async Task<string> PostSignedUrlAsync(string bucketKey, string objectKey)
        {
            using (var client = new HttpClient())
            {
                var token = await tokenManager.GetTwoFactorAsync();
                using (var request = new HttpRequestMessage(
                    HttpMethod.Post,
                    $"https://{configurationManager.Host}/oss/v2/buckets/{bucketKey}/objects/{objectKey}/signed"
                    )
                    )
                {

                    request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
                    using (var response = await client.SendAsync(request))
                    {
                        if (response.IsSuccessStatusCode)
                        {
                            var json = await response.Content.ReadAsStringAsync();
                            return JsonConvert.DeserializeObject<PostObjectSigned>(json).SignedUrl;
                        }
                    }
                    return null;
                }
            }
        }

public async Task PostTwoFactorAsync()
        {
            using (var client = new HttpClient())
            {

                using (var request = new HttpRequestMessage(
                    HttpMethod.Post,
                    $"https://{configurationManager.Host}/authentication/v1/authenticate"
                    )
                    )
                {
                    var body = $"client_id={configurationManager.ClientId}&client_secret={configurationManager.ClientSecret}&grant_type=client_credentials&scope={configurationManager.ScopesInternal}";
                    request.Content = new StringContent(body, Encoding.UTF8, "application/x-www-form-urlencoded");
                    using (var response = await client.SendAsync(request))
                    {
                        if (response.IsSuccessStatusCode)
                        {
                            var json = await response.Content.ReadAsStringAsync();
                            TokenInternal = JsonConvert.DeserializeObject<Token>(json);
                            TokenInternal.ExpiresOn = DateTime.UtcNow.AddSeconds(TokenInternal.ExpiresIn) - TimeSpan.FromMinutes(10);
                            await localStorage.SetItemAsync(configurationManager.LocalStorageKeyInternal, TokenInternal);
                        }
                    }
                }
            }


        }

Maybe is a simple question with a simple answer but I can't find any example that can explain how to solve this "connection" and there are now example in the Forge documentation around Blazor implementation that are suitable for this task.

Thanks in advance

Cesare Caoduro
  • 41
  • 4
  • Hi Cesare, is there reason for tagging [autodesk-designautomation](https://stackoverflow.com/questions/tagged/) – Madhukar Moogala Dec 07 '20 at 08:58
  • Yes, considering that in the question I have mentioned about workitems and that the question can really be related to different services including DA. But if you think is not related no dramas. Thanks – Cesare Caoduro Dec 08 '20 at 03:52
  • Hi @Cesare Caoduro, sorry I have overlooked, if you have oAuth token you can pass to DA client in the headers. https://github.com/Autodesk-Forge/forge-api-dotnet-core/blob/3f5551bdc53e7b13ce868a10a9072580b7481612/src/Autodesk.Forge.Core/ForgeHandler.cs#L76 All API calls take a dictionary with headers so you can pass your own Authorization header. See https://github.com/Autodesk-Forge/forge-api-dotnet-design.automation/blob/39861656ee879f1a53dce49832a9ae99fbd77372/src/Autodesk.Forge.DesignAutomation/Http/WorkItemsApi.gen.cs#L116 – Madhukar Moogala Dec 08 '20 at 05:01
  • Hi @Madhukar Moogala, the question is a bit different. I know I can pass the header and the authorisation token, but the question is more related to the possibility to do it from a Blazor WASM client to the server side of the app which will then call the DA api or the data management api. So it is basically a double jump to avoid exposing the business logic in the WASM part of the app. – Cesare Caoduro Dec 08 '20 at 09:24
  • May be if you can share [minimal-reproducible-example](https://stackoverflow.com/help/minimal-reproducible-example) I can learn to understand your query better, I'm not able to understand from the snippets. It helps community at large – Madhukar Moogala Dec 09 '20 at 14:16

1 Answers1

0

Firstly, please don't call APIs from client side, send the token with only scope: viewables:read for viewing in forge viewer. Other than this, call all the forge APIs from server side. This is for security reasons. Because if you send and store tokens to client side, it's easy to get access to your resources for any client.

Regarding token scopes please refer these links:

Documentation

Tutorial

varunpatil
  • 428
  • 1
  • 3
  • 6