Are REST endpoint secured with REST tokens and applications secured with OAuth?

DirkVandervoort · ‎04-27-2016

I've wallowed though probably all of Esri's online documentation regarding security and I am still not clear on this.

What I want to do is use REST to do query a secure feature service. this all happens in node.js In order to do this in need to obtain a token by passing a username/password to the token dispenser, then append the token to the URL I am using to make my REST call. I know I can do this.

What we don't like about this is that is uses a named user - which has, um, unpleasant issues I've discussed elsewhere on this forum.

I'm still trying to wrap my head around OAuth. I see that I can register an app with OAuth, which gives me a client_id and client_secret. I use those to obtain an access_token, which I can use to... well... I'm not exactly sure what I can use it for.

I do know that I ca not use it to fire queries at the feature service REST endpoint.

If it were a perfect world I'd have my feature layer secured in a manner in which I can create a security to it using a client_id and client_secret. Or did I miss something...? Can I access a feature service with REST using a client_id and client_secret and if so, then how?

So, my question is that, in general, and in the world of ArcGIS Server and Portal, REST endpoint are secured with REST tokens and registered apps are secured with OAuth and can be accessed with an access_token obtained with the client_id and client_secret, correct?

Just checkin...

RobertScheitlin__GISP · ‎04-29-2016

Dirk,

Have you looked at the JS API IdentityManager object?

IdentityManager | API Reference | ArcGIS API for JavaScript GetCredential

DirkVandervoort · ‎04-29-2016

Yes, I'm up to my elbows in the JSAPI IdentiyManager. See my unanswered question here: https://community.esri.com/thread/176132

It's still not clear to me. Thanks.