https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/security-model-approaches/m-p/141676#M13181 <HTML><HEAD></HEAD><BODY><P>We have implemented the security model as originally proposed.&nbsp; Use of cookies prompted some additional concerns and I was able to justify token as a url parameter by demonstrating that the service account associated with generating the token is only valid for that single feature service, which&nbsp;cannot be used on other editable feature services and&nbsp;comes with a 30min expiration.</P><P></P><P>1. Have application "A" request a token from the AGS site that the secured feature service is published to using a service account we have designated.</P><P>2. When the user opens application "B", application "A" will include that token as a url parameter and I have some JavaScript in application "B" that can&nbsp;grab&nbsp;the token and&nbsp;then append it to any requests against that secured feature service.</P></BODY></HTML> Fri, 15 Feb 2019 16:21:00 GMT JamesCrandall 2019-02-15T16:21:00Z https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/security-model-approaches/m-p/141674#M13179 <HTML><HEAD></HEAD><BODY><P>I'm attempting to solve a design problem with one of our ESRI JavaScript (WAB) applications.</P><P></P><P>Scenario: Web application "A" (non-ESRI) is a business system that opens web application "B" (an ESRI JavaScript app) that is publicly accessible but contains a secured feature service for editing.&nbsp; Users are authenticated into Web app "A" and we do not want additional challenge for credentials when application "B" is launched from a button within application "A".</P><P></P><P>So far the most logical design I've come up with is:</P><P></P><P>1. Have application "A" request a token from the AGS site that the secured feature service is published to using a service account we have designated.</P><P>2. When the user opens application "B", application "A" will include that token as a url parameter and I have some JavaScript in application "B" that can&nbsp;grab&nbsp;the token and&nbsp;then append it to any requests against that secured feature service.</P><P></P><P>While this will eliminate any second challenge for credentials, having the token in the url is not all that desired from our security team.</P><P></P><P>Any ideas on alternatives?</P><P><BR />Thanks!</P></BODY></HTML> Tue, 29 Jan 2019 17:06:39 GMT https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/security-model-approaches/m-p/141674#M13179 JamesCrandall 2019-01-29T17:06:39Z https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/security-model-approaches/m-p/141675#M13180 <HTML><HEAD></HEAD><BODY><P>One alternative to&nbsp;passing the&nbsp;token in the url&nbsp;that I have prototyped but would like comments on:</P><P></P><P>1. Have application "A" request a token from the AGS site that the secured feature service is published to using a service account we have designated.</P><P>2. Have application "A" save the token as a cookie in local storage on the client.</P><P>3. When the user opens application "B",&nbsp;that cookie&nbsp;is located and the token value acquired from it within&nbsp;application "B" startup: function(){} then append it to any requests against that secured feature service as needed.</P></BODY></HTML> Tue, 29 Jan 2019 20:17:18 GMT https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/security-model-approaches/m-p/141675#M13180 JamesCrandall 2019-01-29T20:17:18Z https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/security-model-approaches/m-p/141676#M13181 <HTML><HEAD></HEAD><BODY><P>We have implemented the security model as originally proposed.&nbsp; Use of cookies prompted some additional concerns and I was able to justify token as a url parameter by demonstrating that the service account associated with generating the token is only valid for that single feature service, which&nbsp;cannot be used on other editable feature services and&nbsp;comes with a 30min expiration.</P><P></P><P>1. Have application "A" request a token from the AGS site that the secured feature service is published to using a service account we have designated.</P><P>2. When the user opens application "B", application "A" will include that token as a url parameter and I have some JavaScript in application "B" that can&nbsp;grab&nbsp;the token and&nbsp;then append it to any requests against that secured feature service.</P></BODY></HTML> Fri, 15 Feb 2019 16:21:00 GMT https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/security-model-approaches/m-p/141676#M13181 JamesCrandall 2019-02-15T16:21:00Z