Closed ClaysonIO closed 1 year ago
Thanks for your PR!
One thing: their documentation explicitly mentions that for v2 token requests, the client credentials must now be sent as part of the Authorization
header (aka client_secret_basic
), which also seems to be confirmed by the fact their OIDC discovery document doesn't list client_secret_post
as a supported client authentication method: https://developer.api.autodesk.com/.well-known/openid-configuration
Did you have a chance to test against the real implementation? Are we sure client_secret_post
still works?
I forgot we already had a PR open to update the Autodesk, sorry. Feel free to join the discussion: https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers/pull/764.
Are we sure
client_secret_post
still works?
For the record, I just gave it a try and it indeed doesn't work: client_secret_post
is no longer supported:
{
"error": "invalid_credentials",
"error_description": "The client credentials are invalid."
}
I see you work for Autodesk as a Senior Technical Consultant ; do you happen to know why this change was made?
Autodesk is deprecating their v1 Auth API endpoints, per the following blog post: https://aps.autodesk.com/blog/authentication-v2-and-deprecation-v1
This PR updates the URLs, and adjusts the claims to match the new userInfo API response, per the following documentation links: