Unable to get OAuth to work for portal in QML

JeremyRoberts2 · ‎08-15-2018

Hello. I have an internally hosted portal and a very basic sample app wherein I am attempting to load a Portal object using OAuth. I do not want to prompt my user for credentials so I was attempting to do an app logon. Unfortunately no matter what I do, when I implement the AuthenticationView and check the authentication challenge type it keeps coming back as username/password. I have gone into the portal and added an "Application" under my account to generate the ID and secret. I also set that application as public to everyone. Please help!

Here is my sample code...


import QtQuick 2.6

import QtQuick.Controls 1.4

import Esri.ArcGISRuntime 100.2

import Esri.ArcGISRuntime.Toolkit.Dialogs 100.2

import Esri.ArcGISExtras 1.1

ApplicationWindow {

    id: appWindow

    width: 800

    height: 600

    title: "OAuthTest"

    // add a mapView component

    MapView {

        anchors.fill: parent

        // set focus to enable keyboard navigation

        focus: true

        // add a map to the mapview

        Map {

            // add the BasemapTopographic basemap to the map

            BasemapTopographic {}

    Portal {

        id: onlinePortal

        url: "http://server.company.com/arcgisportal"

        credential: Credential {

            oAuthClientInfo: OAuthClientInfo {

                oAuthMode: Enums.OAuthModeApp

                clientId: "hiddenForForum"

                clientSecret: "hiddenForForum"

        Component.onCompleted: {

            load();

    AuthenticationView {

        anchors.fill: parent

        authenticationManager: AuthenticationManager // set the authenticationManager property

        onAuthChallengeChanged: {

            switch (authChallenge.authenticationChallengeType){

            case Enums.AuthenticationChallengeTypeClientCertificate:

                console.log("we have certificate");

                break;

            case Enums.AuthenticationChallengeTypeSslHandshake:

                console.log("we have handshake");

                break;

            case Enums.AuthenticationChallengeTypeOAuth:

                console.log("we have oauth");

                authChallenge.continueWithOAuthAuthorizationCode(oauthCodeString);

                break;

            case Enums.AuthenticationChallengeTypeUsernamePassword:

                console.log("we have UsernamePassword");

                break;

            default:

                console.log("auth challenge type not recognized");

                authChallenge.

                break;

JeremyRoberts2 · ‎08-15-2018

By the way, it works fine when hard coding my own credentials into a Credential object. I just doesn't work when I use the OAuthClientInfo.

This works fine...

Credential {

        id: portalCredential

        username: "my personal username"

        password: "my personal password"

JeremyRoberts2 · ‎08-15-2018

Does OAuth not work with IWA?

LucasDanzinger · ‎08-20-2018

If you are using OAuth app login, then I don't think you will need to use the AuthenticationView at all - the AuthenticationView is meant to be used for displaying a UI to the user to login. If you take your original code and delete all of the AuthenticationView code, does it work?

JeremyRoberts2 · ‎08-20-2018

Hi Lucas, thanks for the replay. No sir, it does not work. I commented out the entire AuthenticationView class.

I get back in the onLoadStatusChanged signal a LoadStatusFailedToLoad and in the onLoadErrorChanged signal...
"Authentication required"

"Invalid credentials specified"

On the internally hosted portal I have registered an "Application" and it has the App ID and App Secret set in the clientId and clientSecret params of the OAuthClientInfo class. So...I'm baffled. I will say this portal has IWA turned on and I am attempting this from a Macbook. So I'm just wondering if when IWA is on, there is not way around providing Windows credentials.

JeremyRoberts2 · ‎08-21-2018

I had my colleage turn off IWA on that portal machine this morning and OAuth works perfectly.

TaimoorKhan · ‎08-22-2018

When you open the application, are you prompted to log in using the portal credentials?

JeremyRoberts2 · ‎08-22-2018

With IWA turned on, OAuth in place, and AuthenticationView in place, yes it did prompt me. I had assumed putting the OAuth in place would negate the need for the AuthenticationView prompt but I guess not.

Per Lucas's suggestion, removing the AuthenticationView code (but leaving OAuth) removed the prompt, but still I would get an authentication error.

Finally with IWA turned off on the server, and OAuth in place on the client, it successfully authenticates.

LucasDanzinger · ‎08-22-2018

I reached out to a co-worker who specializes in Portal/Security/Authorization, and they confirmed this is expected. IWA is form of web tier authentication, and OAuth app logins will not work unless the user is also authenticated with the web tier authentication.

What is the use case for what you are trying to achieve? Is your Portal configured with IWA for authorization, but you now want to make a public app that uses app login?

JeremyRoberts2 · ‎08-23-2018

In this case...we are going to serve up files on portal to be downloaded within a runtime application. Our portal of course is secured. To access it we do not want our users to have to have named users accounts on the portal. They should be able to authenticate into our runtime app (via a different authorization mechanism required by my company) and once they do, be able to access the downloads from portal. This then made sense to implement OAuth as an app login to portal.

Unfortunately at my company, we have always used IWA on all our portals. This usually works well because we all have Windows PCs but as soon as we started testing on Macbooks and iPads, of course we ran into problems. We just didn't realize that even though you might have OAuth setup on the portal and in your runtime app, if IWA is turned on, OAuth is not enough to give you access.

All is good now. IWA is turned off. We will leave it so for these portals facilitating this work flow.

Thanks for the help!