Is it possible to work around CORS while trying to Authenticate on Forge?

Question

We are building a WebGL application in Unity, and we want to use Forge's Design Automation API in it. As most of the Design Automation API is using a Websocket API, it's pretty straightforward. BUT, Authentication is being done with a HTTP request, which is of course blocked by CORS.. The JS code looks like this:

    Authentication: function () {
    var postData = {
        'client_id': 'the id',
        'client_secret': 'the secret',
        'grant_type': 'client_credentials',
        'scope': 'code:all'
    };

    $.ajax({
        url: 'https://developer.api.autodesk.com/authentication/v1/authenticate',
        type: 'POST',
        contentType: 'application/x-www-form-urlencoded',
        data: postData,
    }).done(function (data, textStatus, jqXHR) {
        console.log("worked", data, textStatus, jqXHR);
        console.log("data", data);
        console.log(jqXHR.responseJSON);
    }).fail(function (jqXHR, textStatus, errorThrown) {
        console.log("failed", jqXHR, textStatus, errorThrown);
        console.log(jqXHR.responseJSON);
    })
}

The documentation for reference: https://forge.autodesk.com/en/docs/oauth/v1/reference/http/authenticate-POST/

We are not sure how to bypass CORS in this situation and how to get the bearer token from Forge..

score 2 · Accepted Answer · answered Mar 16 '22 at 16:09

2

I don't think you want to do 2-legged oauth from the browser. This means that you distribute your client id/secret to everyone who uses your website.

You should use 3-legged oauth. See for example, https://github.com/zhuliice/forge-designautomation-websocket-api/tree/main/browser

answered Mar 16 '22 at 16:09

Albert Szilvasy

461
3
5

Thank you for the heads up! We will definitely look into 3-legged oauth! – codeFreak24 Mar 17 '22 at 08:01

score 1 · Answer 2 · answered Mar 17 '22 at 07:27

Looks like you're asking for a 2-legged access token from the web page on the browser. Unfortunately, it's not allowed since as Albert mentioned, your client id and secret will be exposed to everyone who uses your website by looking at your JS files via the browser dev console. It would be a fatal security issue to your website.

I would advise you to move your OAuth workflow to your backend (server-side), serve an endpoint, and get the necessary access tokens from the frontend (browser side) using AJAX call like the below sample.

I appreciate your detailed answer! We will take your advise and move OAuth to the backend! Thank you again. — codeFreak24, Mar 17 '22 at 08:02

Is it possible to work around CORS while trying to Authenticate on Forge?

2 Answers2