February 29, 2020

401 Unauthorized / 403 Forbidden

A developer ran into a 401 Unauthorized error (in the documentation described as Invalid authorization header) when going through the Extract Metadata From a Source File, so I went through it as well to test it, and ran into the exact same error by accident:

* upload completely sent off: 341 out of 341 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Access-Control-Allow-Origin: *
< Date: Sat, 29 Feb 2020 16:49:01 GMT
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< x-ads-app-identifier: platform-viewing-2020.01.01.97.5c80940-production
< x-ads-duration: 54 ms
< x-ads-startup-time: Thu Feb 27 13:06:33 UTC 2020
< x-ads-troubleshooting: The input urn is not authorized. Token Expired. Please refresh the token.
< Content-Length: 0
< Connection: keep-alive
< 
* Connection #0 to host developer.api.autodesk.com left intact

In my case it was because when copying the access token to the header, I accidentally placed an extra space after the "Bearer" string:

curl -X 'POST' -H 'Authorization: Bearer  eyJhbGciOiJIUzI1N...' -H 'Content-Type: application/json' ...

The "x-ads-troubleshooting: The input urn is not authorized. Token Expired. Please refresh the token." message was a bit misleading. ūü§®

Got the same error if I modified the access token string in any other way.

As a test, I also tried what happens if I did not have an access token with the right scopes - i.e. missing data:write or data:create when doing translation.

In that case the error was 403 Forbidden saying that the token does not have the privilege for the request: 

* upload completely sent off: 341 out of 341 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Content-Type: text/plain
< Date: Sat, 29 Feb 2020 16:59:28 GMT
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Content-Length: 51
< Connection: keep-alive
< 
* Connection #0 to host developer.api.autodesk.com left intact
Token does not have the privilege for this request.

By the way, here is a blog post on making sure you have the right scopes: Debug access rights issues from access token

I also tested what message I get if I remove from my Forge App the support for the Model Derivative API and then try to run a translation. That as well gives a 403 Forbidden, but the developerMessage returned is quite clear on what the problem is:

* upload completely sent off: 344 out of 344 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Unauthorized
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Content-Length,x-ads-ul-ctx-client-id,x-ads-ul-ctx-caller-span-id,Content-Range,Access-Control-Allow-Origin,Authorization,x-ads-test,x-ads-ul-ctx-oxygen-id,x-ads-acm-scopes,x-ads-ul-ctx-head-span-id,If-Match,x-ads-ul-ctx-source,Accept-Encoding,If-Modified-Since,x-ads-acm-namespace,Access-Control-Allow-Credentials,x-ads-acm-groups,Session-Id,Content-Encoding,x-ads-ul-ctx-scope,Range,Accept,x-ads-ul-ctx-workflow-id,x-requested-with,Expect,x-ads-acm-check-groups,If-None-Match,Content-Type,x-csrf-token,x-ads-force, x-ads-force-all
< Access-Control-Allow-Methods: POST,GET,OPTIONS,HEAD,PUT,DELETE,PATCH
< Access-Control-Allow-Origin: 
< Content-Type: application/json
< Date: Sat, 29 Feb 2020 17:47:03 GMT
< Content-Length: 204
< Connection: keep-alive
< 
* Connection #0 to host developer.api.autodesk.com left intact
{ "developerMessage":"The client_id specified does not have access to the api product", "moreInfo": "https://forge.autodesk.com/en/docs/oauth/v2/developers_guide/error_handling/", "errorCode": "AUTH-001"}

 

 

Related Posts