我已经实现了能够使用授权代码Grand类型通过授权过程获取OAuth访问令牌的应用程序。我已经成功将其与Google API服务配合使用,但与AutoDesk Forge API服务配合使用时遇到了问题。我怀疑OAuth AutoDesk与OAuth 2.0规范不能很好地确认。
我的应用程序发出以下HTTP POST请求:
POST /authentication/v1/gettoken HTTP/1.1
Host: developer.api.autodesk.com
Authorization: Basic czZCaGRSa3F0MzpnWdfmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZqqYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
在这里,我发送client_id和client_secret作为基本HTTP授权的用户名和密码。但是我得到一个错误:
{"developerMessage":"The required parameter(s) client_id,client_secret not present in the request","userMessage":"","errorCode":"AUTH-008","more info":"http://developer.api.autodesk.com/documentation/v1/errors/AUTH-008"}
但是,OAuth规范在第2.3.1章(https://tools.ietf.org/html/rfc6749#section-2.3.1)中说:
The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.
您可以在第4.2.3章(https://tools.ietf.org/html/rfc6749#section-4.1.3)中看到服务器必须支持的这种请求的示例:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWdfmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZqqYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
AutoDesk希望根据其文档使用不同的内容:
curl -v 'https://developer.api.autodesk.com/authentication/v1/gettoken'
-X 'POST'
-H 'Content-Type: application/x-www-form-urlencoded'
-d '
client_id=obQDn8P0GanGFQha4ngKKVWcxwyvFAGE&
client_secret=eUruM8HRyc7BAQ1e&
grant_type=authorization_code&
code=wroM1vFA4E-Aj241-quh_LVjm7UldawnNgYEHQ8I&
redirect_uri=http://sampleapp.com/oauth/callback
'
(在这里,如您所见,AutoDesk希望client_id和client_secret包含在POST请求正文中。)这是服务器可以支持的另一种方式,如第2.3.1章(https://tools.ietf.org/html/rfc6749#section-2.3.1)所述: / p>
Alternatively,the authorization server MAY support including the
client credentials in the request-body
那么,我对AutoDesk Forge API服务是否仅支持可选方式,而显然不支持强制方式呢?