topic Re: OAuth App logins and sharing in ArcGIS Online Developers Questions

OAuth App logins and sharing

DominicStubbins — Mon, 12 Aug 2013 12:56:15 GMT

The documentation for App logins using OAuth states

Successful authentication directly returns a JSON response containing the access token that allows the application to work with resources that are accessible to the application (that is, have been shared with the application).

I'm not clear what "shared with the application" means? There does not appear to be an obvious mechanism to do this. My experimenting seems to show that to access data services they must be "owned" by the developer, which makes sense. Is this the case, and perhaps the doc needs updating or am I missing something (I see this behavior with both developer and the organisational plans)

thx

DS

Re: OAuth App logins and sharing

PatrickArlt1 — Mon, 12 Aug 2013 13:51:22 GMT

dstubbin,

I think this does need to be updated. Applications should be able to access anything the owner of that application can access.

Re: OAuth App logins and sharing

PatriceFREYDIERE — Thu, 22 Aug 2013 13:50:33 GMT

dstubbin,

I think this does need to be updated. Applications should be able to access anything the owner of that application can access.

Hello, i had a couple of tests regarding this assumption. It seems to be true for WebMaps, Services but not on group description.

when using an OAuth2 app login to get a group description, the REST API return an unauthorized access :

url : http://d8esrifrance.maps.arcgis.com/sharing/rest/community/groups/86cbe8647e904a958fb272f8cae3c86a?f=json&token=18_RWcGBeNPWStGH-YZNpqM06KR6XCsMXT8WSjWpB4qtMPdbJjY_xiPfVDJxJFY01b0FbJlOPZKdZSb2K_1GsxQXT4pOzDqBgyzNooci9q95rSTmtfnO6EvxHBWzIJtiMBThH-m-9mWEEw1_SjnSSg..

return :
{"error":{"code":403,"messageCode":"GWM_0003","message":"You do not have permissions to access this resource or perform this operation.","details":[]}}

it works fine when the token belongs to the app owner, generating the owner's token using generateToken, the same REST call succeed

bug ? or are there any limitations on permission using the app login thank's to OAuth2

Patrice

Re: OAuth App logins and sharing

SuneDue_Møller — Tue, 10 Sep 2013 18:30:14 GMT

As I understand it ArcGIS Online has two types of accounts: user accounts (username/password) and application accounts (appId/appSecret).

When you invite a customer into a group you are always granting permissions to a user account. There is no way to invite an application into a group (at least not through the web interface). This means that an Organization (A) user can see content from Organization (B), but an Organization (A) application cannot.

BTW: I hope esri will consider changing this. But the reason for not doing so might have something to do with the business model around AGOL.

- Sune