topic Re: How to launch login straight to external OAuth identity provider in ArcGIS JavaScript Maps SDK Questions

How to launch login straight to external OAuth identity provider

Anonymous User — Thu, 21 Jun 2018 04:00:37 GMT

Hi all.

This question relates to using OAuth with ArcGIS Online.

The standard workflow using OAuth as I understand it is:

Attempt to hit the AGOL url (e.g. https://myagol.maps.arcgis.com/sharing/rest/oauth2/authorize?client_id=12345678912&response_type=code&redirect_uri=urn:ietf:wg:oauth:2.0:oob ).
AGOL will display a page with a button to click – click this and it redirects you off to the external identity provider for authentication and displays an external login page.
Enter username and password and click login.
Login occurs and user is redirected back with a OAuth refresh token etc.

My question is, how do you skip the first step? I want an application to jump straight to displaying the external login page.

I can't seem to figure out how to trigger the OAuth workflow without the user first seeing the AGOL page and manually clicking the button to launch the external login page.

cheers,

-Paul

Re: How to launch login straight to external OAuth identity provider

KellyGerrow — Thu, 21 Jun 2018 22:03:51 GMT

HI Paul,

Are you looking to use an oAuth login with Enterprise logins in ArcGIS Online or built-in ArcGIS Online usernames?

ArcGIS Security and Authentication | ArcGIS for Developers

If this is for a custom application, which API or SDK are you using?

-KElly

Re: How to launch login straight to external OAuth identity provider

Anonymous User — Thu, 21 Jun 2018 22:22:42 GMT

Using enterprise logins.

Using JavaScript api for web development and AppStudio (Qt SDK) for mobile development.

Cheers

Paul

Sent from my iPhone

Re: How to launch login straight to external OAuth identity provider

ReneRubalcava — Sun, 12 Dec 2021 06:34:03 GMT

Check out this OAuth sample we have in the JSAPI SDK.

Access ArcGIS Online items using OAuthentication | ArcGIS API for JavaScript 4.7

What you can do is as soon as the application starts do something like this.

esriId.checkSignInStatus(info.portalUrl + "/sharing").then(
  function() {
    esriId.getCredential(info.portalUrl + "/sharing");
  }
).catch(/*give user an option to sign in*/);‍‍‍‍‍‍‍‍‍‍

There's also a DevLab that is very similar.

Access private layers | ArcGIS for Developers

In both cases they do the above on a link click, but you can skip that and do it immediately.

For more details, you can check out the doc for IdentityManager

IdentityManager | API Reference | ArcGIS API for JavaScript 4.7

and Portal

Portal | API Reference | ArcGIS API for JavaScript 4.7

Re: How to launch login straight to external OAuth identity provider

Anonymous User — Wed, 27 Jun 2018 13:50:02 GMT

Hi Rene

Thanks for the reply. I took a look at that sample, but it demonstrates exactly what I'm trying to avoid.

In that sample, you click the 'Sign In' link, then a page pops up asking the user to grant permission for the app to access their account. It is this page that I am trying to skip, and go directly to the external enterprise login page. There is no other option for the user other than granting permission and so I want to avoid this page altogether.

I realise that the asking to grant permission is part of the standard OAuth authorization workflow, so I'm looking for an alternative workflow that still ends up with us having an OAuth refresh token and access token that we can pass to the appropriate Identity Manager in the SDKs.

If anything, I suspect it might be something to do with using a different grant type, but this is what I'm not sure about.

Any further tips?

cheers,

-Paul

Re: How to launch login straight to external OAuth identity provider

Anonymous User — Thu, 28 Jun 2018 01:34:05 GMT

The links below might help. What I'm trying to achieve is probably what's described in those articles as 'Identity Provider Initiated Logins'. If anyone can provide more information on how to set up this workflow please let me know. The documentation talks about setting up federation between ArcGIS Online and certain IDP, but don't go into any particular detail about how to initiate an identity provider login, everything seems to relate to SP initiated logins.

http://proceedings.esri.com/library/userconf/proc16/tech-workshops/tw_314-220.pdf

Set up enterprise logins—ArcGIS Online Help | ArcGIS

Re: How to launch login straight to external OAuth identity provider

NicolasGIS — Tue, 09 Jul 2019 08:09:36 GMT

Hello,

I know Oauth2 is an authorization protocol meaning that you have to ask permission to the user to allow an application (eg: WebMap app) to access information about that user hosted on a plateform (eg: ArcGIS Enterprise).

But as an organization hosting and securing data on an ArcGIS Enterprise, I think it would make sense to be able to register "official" applications that would be allowed to skip the authorization form.

If Google asked you to grant permission to Google every time you logged in to gmail it would be pretty confusing. Allowing first party clients to skip the authorization prompt is supported by the majority of OAuth servers: Auth0, Otka, Doorkeeper, Django OAuth Toolkit, IdentityServer, Keycloak, Ory Hydra, and others.

As our ArcGIS Enterprise is configured with our SAML identity provider, the authorization form is preventing an SSO experience within the organization and is confusing for the end user which has no idea that behind the scene there is an ArcGIS Enterprise.

So far I don't think it is doable, isn't it ? Do you think an ArcGIS Idea should be created ? It is something you would consider ?

Thanks,

Nicolas

Re: How to launch login straight to external OAuth identity provider

NicolasGIS — Tue, 23 Jul 2019 09:06:27 GMT

I just created an idea:

https://community.esri.com/ideas/17012-arcgis-enterprise-oauth2-skip-authorization-form

Re: How to launch login straight to external OAuth identity provider

NicolasGIS — Fri, 09 Aug 2019 11:50:59 GMT

Kelly Gerrow‌, any thought about this request ?

I created an Idea but did not get any feedback so I was wondering if I missed anything ?

I believe this is something that would ask many organization but maybe I am mistaken.

Thanks !

Re: How to launch login straight to external OAuth identity provider

AlecPatrizio1 — Fri, 10 Jan 2020 05:50:06 GMT

Any update on this? I'm running into this exact same issue and cannot find any documentation or examples anywhere that explain how to achieve this. I'm beginning to think this isn't possible. My scenario:

A front-end client app using Azure AD Authentication.

A back-end custom API using Azure AD Authentication.

An ArcGIS Enterprise site with Azure AD IDP and SSO configured.

The front-end client app has permissions for the back-end custom API app registration and the ArcGIS Enterprise app registration.

When I request an access token from Azure AD (using my client app id), and then register this token with the JSAPI IdentityManager, when calling portal.signIn(), i get a 'token is invalid' response. Not sure what I'm missing.

Using the Microsoft Authentication Library (MSAL) I can very easily manage OAuth flow between client-app and custom back-end API. I don't see why I cannot achieve the same flow with ArcGIS Enterprise, as it is also registered in Azure AD.

Any help or insight greatly appreciated!

Re: How to launch login straight to external OAuth identity provider

Ranga_Tolapi — Sun, 29 Nov 2020 17:41:24 GMT

Hi AlecPatrizio1

We are also facing an issue similar to yours (as given below). Can you please share if you have any updates. Thank you.

When I request an access token from Azure AD (using my client app id), and then register this token with the JSAPI IdentityManager, when calling portal.signIn(), i get a 'token is invalid' response. Not sure what I'm missing.

Re: How to launch login straight to external OAuth identity provider

MelvinSuratos — Fri, 18 Nov 2022 00:35:48 GMT

Any solution this? I'm in the same situation.