How can I use app authentication?

3871
9
05-30-2018 02:14 PM
NathanMellor
Occasional Contributor

The documentation is incomplete on this subject. I'll explain what I mean.

Here:

Access the ArcGIS platform—ArcGIS Runtime SDK for Android | ArcGIS for Developers 

"Apps that target users who are unknown to the ArcGIS platform can authenticate with the platform on behalf of the user by using an app login."

Sounds good.

So I go here.

Implementing App Login | ArcGIS for Developers 

It shows how I can register an app and get a client_id and client_secret.

Now what do I do with them?

"Once you have registered your application and obtained a client_id and client_secret, you implement app login to obtain a token. The path to follow from here will depend on which SDK you choose to implement your app with."

"If you are implementing your app using one of the ArcGIS Runtime SDKs then continue with the authentication guide for your platform."

Sounds good, I'll pick Android.

That takes me back here to where I started:

Access the ArcGIS platform—ArcGIS Runtime SDK for Android | ArcGIS for Developers 

So I keep reading.:

"The ArcGIS Runtime SDK provides full support for access to secured ArcGIS Server, ArcGIS Online, or ArcGIS Enterprise resources using the following authorization methods:

  • ArcGIS Tokens: proprietary token-based authentication mechanism.
  • OAuth 2.0: secure delegated access to server resources.
  • Network credential: HTTP secured service / Integrated Windows Authentication (IWA).
  • Certificate: Public Key Infrastructure (PKI)."

So which of these authorization methods uses a client_id and client_secret?

"The types of Authentication Challenge include the following:

  • Username / password: Challenges needing username / password authentication.
  • OAuth: Challenges needing an OAuth authorization code.
  • Client Certificate: Challenges needing a client certificate to be provided.
  • Secure Sockets Layer (SSL) Handshake - Challenges needing a response to certain SslError errors, usually an untrusted host due to a self-signed certificate."

I still don't see anything about using a client_id and client_secret.

Are they a username/password?

Maybe this is all obvious to the rest of you, but not to me.

It would help to have a COMPLETE EXAMPLE.

9 Replies
EricBader
Occasional Contributor III

Yes, this looks confusing. Sorry about that. Thank you for bringing this to our attention!

We'll work on the doc to clarify this.

For Android, the AuthenticationManager| arcgis-android  API reference explains better how to use the client_id.  Look under the "Manage a set of OAuthConfigurations"  section. (You don't have to worry about client_secret.) 

Manage a set of OAuthConfigurations

If your app will connect to OAuth secured resources, and you have set an instance of the DefaultAuthenticationChallengeHandler onto the AuthenticationManager, then add an OAuthConfiguration for a specific client ID and portal by calling addOAuthConfiguration(OAuthConfiguration)

. 

0 Kudos
EricBader
Occasional Contributor III

Also, check out this DevLab: Access private layers | ArcGIS for Developers 

0 Kudos
NathanMellor
Occasional Contributor

Still trying to understand, not sure if I am asking the right questions.

I run the sample and it gives me this screen.

Which is - perhaps I wasn't clear - exactly what I wish to avoid. 

"Apps that target users who are unknown to the ArcGIS platform can authenticate with the platform on behalf of the user by using an app login."

So if my app can target users who are unknown to the ArcGIS platform, why would I ask those users to login with an ArcGISOnline account that they probably don't have?

This question came up because I was using the OnDemand workflow and it failed with some vague error about missing a token. This token is never mentioned in the documentation, but I assume it is some authentications that it needs.

Create an offline map—ArcGIS Runtime SDK for Android | ArcGIS for Developers 

If I add an authentication manager, then it will prompt me for my arcgisonline credentials and then work.

This sample shows a nice screen, but nonetheless is still asking for ArcGIS Online credentials.

Ideally, I would not prompt the user at all, because by this time they have already signed in to my app and I have verified their status.

Note - I have tried to use preplanned workflow for this - it didn't seem to require authentication but it is broken - I have a case for that.

EricBader
Occasional Contributor III

Right. I apologize, Nathan. This example was not the correct one.

You are asking the right questions.

Let me try again and see if I can help.

You don't want your users to see the OAUth dialog. You want them to access the things they need to without being asked to log in again.

Correct?

So in your app, you authenticate on their behalf, unseen to the user...using your named user credentials.

Correct?

This is all ok. As long as those services that your users ("unknown to the ArcGIS Platform") are accessing are not "private" services (need authentication). App Logins cannot be used for accessing protected/private services that need organizational Named User authentication.

You may ask..."What? If everything is supposed to be public in app login scenarios, why use app logins at all?"

Because you, as the app developer, may be paying for credit-burning services that are public. For example, the World Geocoding Service. These are public, but require a token, and they burn credits that need to be paid for. You, as the developer of the app, want to foot the bill for these services and therefore login via the app to use the credits and access the tokens on the user's behalf.

Does this make sense?

Let me know.

Eric

0 Kudos
NathanMellor
Occasional Contributor

Perhaps.

Lets say I create a Level 1 named user in my organizational account.

Lets call him GeorgeJetson.

So in order to avoid prompting the user, I would create my own implementation of AuthenticationHandler. 

When this AuthenticationHandler receives an AuthenticationChallenge it will return an AuthenticationChallengeResponse.

The AuthenticationChallengeResponse will have the

AuthenticationChallengeResponse.Action CONTINUE_WITH_CREDENTIAL 

And an object that is a UserCredential with GeorgeJetson as the user and GeorgeJetsonsPassword as the password.

UserCredential| arcgis-android 

So something like

class EasyAuthenticationHandler implements Authentication Handler

{

   final string USERNAME = "GeorgeJetson";

   final string USERPASSWORD = " ..... ";

   

AuthenticationChallengeResponse handleChallenge (AuthenticationChallenge challenge)

{

      if(challenge.getType()==AuthenticationChallenge.Type.USER_CREDENTIAL_CHALLENGE)

      {

           return new AuthenticationChallengeResponse(

               AuthenticationChallengeResponse.Action.CONTINUE_WITH_CREDENTIAL,

               new UserCredential(USERNAME,USERPASSWORD));

      }

     else

     {

         throw new IDontKnowWhatToDoException();

     }

}

Then all of the people using the app would have access to all resources that have been shared with my organization. And this would work if 1000 users are logged in as GeogeJetson at the same time?

And if one of my competitor's apps tried to access the same resources, they could stick it in their eye because they don't know GeorgeJetson's password.

Am I correct?

0 Kudos
EricBader
Occasional Contributor III

class EasyAuthenticationHandler implements Authentication Handler

{

   final string USERNAME = "GeorgeJetson";

   final string USERPASSWORD = " ..... ";

As long as GeorgeJetson is not allowing the app to present PRIVATE resources (requiring token authentication) to any of the app's end users.

Then all of the people using the app would have access to all resources that have been shared with my organization. And this would work if 1000 users are logged in as GeogeJetson at the same time?

No. With App Login, you can only share PUBLIC information shared with Everyone (well, technically, you CAN give access to your organization's private data....the software will not prevent this.... But that violates the ArcGIS Online terms of use). If your app shares any PRIVATE services, you would have to show the authentication dialog. Bottom line is, the "App Login" approach cannot be used to give access to things that end users would normally need a Named User subscription for. 

See what I mean?

0 Kudos
NathanMellor
Occasional Contributor

So I do need to give competitors apps full access to my hard earned resources. Although I guess I could create terms of use that they owe me $1000 per month for unauthorized use.

OR

I need to get all my users an ArcGISOnline account. Could that be done in an automated fashion. If it requires Named User account, I don't think that is practical. This is a consumer, not enterprise app.

OR

I would need to setup my own ArcGIS Server in the cloud.

Am I right?

0 Kudos
EricBader
Occasional Contributor III

Hi Nathan,

Yeah, I don't think App Logins is the answer for your use case. In your scenario, the users of your system need to have Named User accounts, it sounds like.

0 Kudos
NicholasSadowy
New Contributor II

I too am going down this exact same rabbit hole. We have our own Enterprise server, and a .net web application that I would like to allow to access to protected content. (Specifically a tile service). To make things more interesting, our web application currently uses a Google map (javascript API) to display our information currently. If I share the content to everyone, I can display it on the Google map. I also do NOT want our users to have to log in to our enterprise server. I don't mind creating a named user for our application that has access to the content. I agree, the documentation is severely lacking when it comes to practical examples of user logins, tokens, using proxies and anything else useful for creating a working application that doesn't fit into the very tight confines of esri's idea of what an application should look like.