401 Unauthorized when using Forge Viewer, but using CURL it returns 200 OK

Question

When initializing an instance of Forge Viewer, it is returning a 401 Unauthorized with a token generated on my server. But the same exact code generates a valid token for Model Derivative to convert a file to SVF. Using CURL to generate a token then accessing a manifest on Model Derivative also works. The credentials are correct, the code is correct, it all works in all paths, except when initializing the Viewer (and the same code worked until today early).

Is there a problem with Viewer authentication on Autodesk servers? Or something changed for token generation on the Viewer?

Edit: something in my server was creating a token with all kinds of permissions (read an write, data, bucket, etc.). Thanks to varunpatil's answer, I changed the token to use only 'viewables:read', and it loaded successfully.

New edit: it started to happen on my local system, with another account. Everything is set up correctly, yet tokens still come up invalid.

I've inspected them with https://www.jstoolset.com/jwt, and this is the header and payload:

{"alg":"RS256","kid":"--hidden--"}
{"scope":["viewables:read"],"client_id":"--hidden--","aud":"https://autodesk.com/aud/ajwtexp60","jti":"--hidden--","exp":1618599603}

score 1 · Answer 1 · answered Apr 16 '21 at 04:34

1

use scope viewables:read

Please don'e use data: read for viewer, with that token users can read all the files. Ref: https://forge.autodesk.com/blog/new-viewablesread-scope

answered Apr 16 '21 at 04:34

varunpatil

428
1
3
6

Unmarked as solved, since it worked on one code, but the other used this exact solution and stopped working. So it's not this. – Tiago Raposo Apr 16 '21 at 19:07
it should be consistent with all apps. Please refer to examples in https://learnforge.autodesk.io/ in case you're missing something. – varunpatil Apr 19 '21 at 10:21
Thanks for the help, but the problem went away by itself, then returned yesterday. It's almost random. I can upload a new file to Model Derivative, then try to open it and it fails. Another Forge account can do both with the same code. Could it be something tied to the account? – Tiago Raposo Apr 23 '21 at 11:56

score 0 · Answer 2 · answered Apr 23 '21 at 18:09

0

It turns out that our server was caching the token, and in some cases wasn't updating it after expiration. Disabling the cache apparently solved the issue, although a new token will always be generated, independent of the expiration time.

answered Apr 23 '21 at 18:09

Tiago Raposo

17
1
5

401 Unauthorized when using Forge Viewer, but using CURL it returns 200 OK

2 Answers2