September 20, 2017

Security Recommendations for BIM 360 App Developers - Select account

Default blog image

Following up from Security Recommendations for BIM 360 App Developers article, the question was on how to implement a secure provisioning on your app. This article focus on the steps to allow an end-user to securely select an account on your application. For this example, let's assume a workflow where your application needs a BIM 360 Project specific information, like start & end dates, construction or service type, or even the address. Your app will need to:

  1. Provision your app Forge Client ID with the BIM 360 Docs (just one time)
  2. Authorize user to obtain a 3-legged token (first time or refresh for returning users)
    1. Call Data Management GET Hubs
    2. Filter BIM 360 Docs hubs: those with ID starting with b. or where hub.attributes.extension.type equals hubs:autodesk.bim360:Account. Note these are the Account IDs the user has access to, just remove the prefix b. to obtain the account ID.
    3. Call Data Management GET Projects, these are the Projects the user has access to
  3. Authenticate a 2-legged token
    1. Using the HubID/AccountID obtained on 1.2. and the ProjectId from 1.3.
    2. Call BIM 360 GET Project
    3. Read the information you need, like dates, types or address

As permissions may change, it's recommended to NOT store HubID/AccountID or ProjectID for a given user. For instance, if the contractor finishes the job, the BIM 360 Account Admin may revoke his/her access, so if your app always obtains the Hubs/Projects with the 3-legged token, it will be up-to-date. You app can (and should) keep the refresh token for returning users.

This approach will ensure your app keep data secure and private.

Related Posts

June 12, 2019

Changes on Data Management for BIM 360 Docs permissions

BIM 360 Document Manager will introduce a new permission: View without download. This affects applications downloading files from BIM 360 Hubs with Data Management.

Read More

June 4, 2019

Auto-publish models to website

If you are working on models that you want to publish to your website then you can create a web service that you would only have to authorize once, and from then onwards it could keep acces...

Read More

May 29, 2019

Mastering the "Authorize application" page

The "Authorize application" page is connected to the Scopes your application requires, here are a few things to consider.

Read More