Autodesk v2

[EMostafaAli]

Describe the bug

Autodesk published v2 for their OAuth infrastructure as shown here: https://aps.autodesk.com/en/docs/oauth/v2/reference/http/
I tried to update the provider in this tool here: https://github.com/EMostafaAli/AspNet.Security.OAuth.Providers/tree/autodesk_v2
It is a simple update, only changing the endpoints URL. However, when I tried to test I got the following error:
Exception: OAuth token endpoint failure: invalid_request;Description=The request is missing a required parameter 'code_verifier'.

I know for a fact that Autodesk application has PKCE set to false (for web apps) and as far as I know 'code_verifier' is related to PKCE.

Steps To reproduce

• Go to https://aps.autodesk.com and create a new application (Standard web server)
• Clone my fork found in the following link: https://github.com/EMostafaAli/AspNet.Security.OAuth.Providers/tree/autodesk_v2 (it is a fork from this repo with links updated to Autodesk v2)
• Create a new web app with the following code:

builder.Services.AddAuthentication(options =>
    {
        options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = "oidc";
    })
    .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddAutodesk("oidc", options =>
    {
        options.ClientId = "CLIENT_ID";
        options.ClientSecret = "CLIENT_SECRET";
        options.UsePkce = false;
        options.SaveTokens = true;
        options.Scope.Clear();
        options.Scope.Add("user-profile:read");
        options.Scope.Add("data:read");
    });

Expected behaviour

Authorization should work.

Actual behaviour

The authentication fails with the following:

System information

• OS: Windows 10
• .NET version
  .NET SDK:
  Version: 7.0.103
  Commit: 276c71d299

[martincostello]

I'm not sure this is really a bug as it's a major version upgrade to the Autodesk API.

If there's changes in it that need the provider to be changed to support it, then that's more of a feature request, IMHO.

Does it work if you set UsePkce to true? If it does, then that's the probably a hard requirement and needs to be turned on.

We already default it to true for a number of providers, such as for Xumm:

AspNet.Security.OAuth.Providers/src/AspNet.Security.OAuth.Xumm/XummAuthenticationOptions.cs

Line 27 in f8e1386

UsePkce = true;

[EMostafaAli]

Setting UsePkce = false gives a different error as in the image below. However, I know that Autodesk application has PKCE set to false. I will connect with Autodesk and keep you posted.

[EMostafaAli]

I figured this out. In the code exchange step, .NET sends client Id & secret in the message body as in the following link:
https://github.com/dotnet/aspnetcore/blob/bec278eabea54f63da15e10e654bdfa4168a2479/src/Security/Authentication/OAuth/src/OAuthHandler.cs#L190

From Autodesk's perspective, they expect client Id & secret to be submitted as a header if PKCE is off and client id in message body if PKCE is on as in the following link:
https://aps.autodesk.com/en/docs/oauth/v2/reference/http/gettoken-POST/#section-1-authorization-code-grant-type

I can fix this by overriding ExchangeCodeAsync method but before I do so, I would appreciate if I get a feedback about this approach (and possibly a better way to address this)

[martincostello]

This seems reasonable to me - we have a number of providers that override ExchangeCodeAsync() already.