search

iTwin / itwinjs-core

Monorepo for iTwin.js Library
https://www.itwinjs.org
MIT License
600 stars 210 forks source link

downloadBriefcase requires "imodels:modify" scope #5836

Closed beolson closed 1 year ago

beolson commented 1 year ago

Describe the bug I am trying to download a Briefcase, and I am trying to use the least permissive scope to do so. I found documentation that suggests the only permission needed is "Read IModel" - but it only works when I add imodels:modify to my scopes.

To Reproduce Steps to reproduce the behavior:

1 - acquire an accessToken

  const oidcClient = new ServiceAuthorizationClient({
    clientId: clientId,
    clientSecret: clientSecret,
    scope: "itwins:read projects:read imodels:read insights:read",
  });

  const token = await oidcClient.getAccessToken();

2 - use token to download briefcase. 

const bc = await BriefcaseManager.downloadBriefcase({
  iTwinId: this.props.projectId,
  iModelId: this.props.iModelId,
  accessToken: token,
  //  asOf: IModelVersion.latest(),
  fileName: this.props.briefcaseFile,
});

3 - this fails for me. But will work if I add the "imodels:modify" scope in step 1.

Expected behavior Should be able to call the BriefcaseManager.downloadBriefcase method using a token with the "imodels:read" scope.

aruniverse commented 1 year ago

The documentation you are referring to is talking about RBAC not OIDC Scopes.

Looks like BriefcaseManager.downloadBriefcase attempts to download the briefcase in read/write mode which might explain why you need the imodels:modify scope

beolson commented 1 year ago

I assume that under the covers ITwinsJS is calling this: https://developer.bentley.com/apis/imodels-v2/operations/acquire-imodel-briefcase/ - and this does state that it requires the imodels:modify scope.

Is there a way to get a briefcase without a modify scope? I only intend to open it as a SnapshotDb - and would prefer my application not request a token with a modify scope

austeja-bentley commented 1 year ago

hello @beolson, BriefcaseManager.downloadBriefcase documentation mentions that read-only Briefcases have an id equal to a special value (which is equal to 0). Looking at the code it looks like if you supply that special value to the function it should not attempt to acquire a new Briefcase so the imodels:modify scope should not be needed. This test downloads a Briefcase with briefcaseId: BriefcaseIdValue.Unassigned.

Also depending on your use case you may want to look into NativeApp.requestDownloadBriefcase