Autodesk Forge - Client-ID's, Client-Secret, Company Account ID. Where to store?

Access data is required to communicate with the Forge platform.

• Company Account ID
• ClientID,
• Client Secret ID
• Application-Name

This posting describes how these very important and security-relevant data can be stored.

Claudius Peters - Forge Integration

​First of all, it is important to understand that a distinction needs to be made between a client application and a server application.

In the client application, here a Windows or CAD application, only the data provided by the server application is displayed in a dialog. All communications with the Forge Platform are done exclusively in the server application. This approach is very important from a security point of view, as all access data is NOT known to the client application.

The adjacent picture illustrates this procedure

All communications with the Forge Platform will be through a web service established in the company's own network environment.

 Storage of access data

• Client ID
• Client Secret ID
• Applikationsname
• Company​ Account ID

Within a class - hard coded -

public static class Credentials
{
    <add key="CP.Forge.ClientID" value="[Your Client ID]"/>   
    <add key="CP.Forge.ClientSecret" value="[Your Client Secret ID]"/>
    <add key="CP.Forge.CompanyAccountID" value="[Your Company Account ID]"/>   
    <add key="CP.Forge.AppName" value="[Your Applikation Name]"/>  
    <add key="CP.Forge.CallBackUrl" value="[Your Callback URL]"/>   
}
 

In a public static class, within the web service application, the data is stored.

This approach is not optimal, if not very safety-critical, because the data was hard-coded and thus visible.

So not recommended.

Defined within the web.config file

  <appSettings>
    <add key="CP.Forge.BaseURL" value="https://developer.api.autodesk.com"/>

    <add key="CP.Forge.Database.ServerName" value="[MS SQL-Server Name]"/>
    <add key="CP.Forge.Database.DataSource" value="[DataSource Name"/>
    
    <add key="CP.Forge.ClientID" value="[Your Client ID]"/>   
    <add key="CP.Forge.ClientSecret" value="[Your Client Secret ID]"/>
    <add key="CP.Forge.CompanyAccountID" value="[Your Company Account ID]"/>   
    <add key="CP.Forge.AppName" value="[Your Applikation Name]"/>  
    <add key="CP.Forge.CallBackUrl" value="[Your Callback URL]"/>  
    
  </appSettings> 

A secure way to store the access data for your Forge account is to put it in the Web.Config file. This can not be easily read, this requires an administrator access to your website file storage. This is usually password protected.

In your web service application, the following code can be used to read this data.

Still insecure to a degree.

string m_ClientID =
    System.Configuration.ConfigurationManager.AppSettings["CP.Forge.ClientID"].ToString();
 

Save the access data to a database

The access data can also be stored in a database table. If the application name is added as a column in this table, it can be filtered in the Web application and different access data can be used for several applications.

Since the access data to the database are also stored in the web.config file, it is possible to read them out to gain access to the database.

Verschlüsseln 

The access data can be encrypted using a method provided in .Net. The necessary key is called the webservice by the client. It is stored on the client side.

If the web server is hacked, it will be difficult to crack the credentials without this key.

However, if somebody chats out the key, it will not help either.

In the next posting on Forge Platform I would like to discuss the accesstoken and explain how it can be "saved".