Access organisation portal content from application

791
4
Jump to solution
06-29-2021 07:36 AM
PeterJohansson
New Contributor II

We have a small internal web application with a map component displaying specified zip codes in a feature layer. The application is used by users that has no ArcGIS account (and should not have) .

We have an organisational ArcGIS portal where the zip code layers we are using are shared on an organizational level (meaning that they are considered as private content).

I have looked at the documentation and figured out that I can’t use Application Credentials (as it can’t access private content at all) or an API key (as this key only can access my private ArcGIS Developer content), according to documentation and https://community.esri.com/t5/arcgis-api-for-javascript/access-restricted-content-from-application/t... 

So I need an ArcGIS identity to be able to access the organizational shared feature layers on our portal.

I have found a solution where the app calls a backend service component/api for a token in line with the ‘Direct username password authentication’ documentation: https://developers.arcgis.com/documentation/mapping-apis-and-services/security/arcgis-identity/direc... 

The backend api uses my ArcGIS credentials (securely stored and protected) and the generateToken REST API with client=requestip, to generate and return a valid token back to the app.

The token is then passed on to the identityManager.registerToken method. Then the app can access and display the needed feature layers on our portal.

Users can not do anything with the feature layers in the app, only display filtered out zip codes.

Could anyone confirm that this is is a valid setup (inline with 'Terms of usage') for displaying protected organizational content for users without access to ArcGIS and the best (only?) way to do it?

From my perspective it would be useful to use some kind of 'Service Account' instead, which can be used instead of my own personal ArcGIS account credentials. Or even better, to be able to use the API Key to access private content. 

Thanks in advance...

 

The code for initializing the map component where token is fetched and used:

export const initialize = async (container) => {

  const { userToken, error } = await fetchMapToken();
  const tokenObj = {
    server: 'https://www.arcgis.com/sharing/rest',
    token: `${userToken.token}`,
    ssl: true,
    expires: userToken.expires,
  };

  return new Promise((resolve, reject) => {
    if (error) {
      reject(new Error(`Failed to login to ArcGIS.' Error: ${error.message}`));
    }

    map = new Map({
      basemap: 'arcgis-navigation',
    });

    view = new MapView({
      container,
      map,
    });

    identityManager.registerToken(tokenObj);
    identityManager
      .checkSignInStatus(portalUrl)
      .then(async () => {
        await view.when(
          () => {
            view.extent = countryLevel;
          },
          (err) => reject(err)
        );
        resolve(() => {
          view.container = null;
        });
      })
      .catch((err) => {
        displayMessage('error', `Failed to sign in to ArcGIS. Error: ${err.message}`);
        reject(err);
      });
  });
};

  

Backend API code:

router.get(‘/userToken', authenticate, async (req, res) => {
  getUserCredentials().then(async (credentials) => {
    const { arcGisAccountUserId, arcGisAccountUserPassword } = credentials;
    const urlencoded = new URLSearchParams();
    urlencoded.append('password', arcGisAccountUserPassword);
    urlencoded.append('username', arcGisAccountUserId);
    urlencoded.append('f', 'json');
    const requestOptions = {
      method: 'POST',
      body: urlencoded,
      headers: {
        'content-type': 'application/x-www-form-urlencoded',
      },
    };
    const endpoint = 'https://www.arcgis.com/sharing/rest/generateToken?client=requestip';

    try {
      const response = await fetch(endpoint, requestOptions);
      const json = await response.json();
      if (response.ok && json && !json.error) {
        res.json(json);
      } else {
        return res.sendStatus(500);
      }
    } catch (err) {
      return res.sendStatus(400);
    }
  });
});

 

0 Kudos
1 Solution

Accepted Solutions
TommyBramble
New Contributor III

While the method you described works, it is likely violating the Terms of Use of the ArcGIS Online account as you are embedding a single named user to access private content on behalf of other users.

https://www.arcgis.com/home/termsofuse.html

See section 2.5.b. Value-added Applications.

If you want anonymous users to access content, then the content needs to be publicly shared. Otherwise, Esri wants a (licensed) named user for each individual that is accessing the private content. This is how it's been explained to me directly from Esri customer reps.

That said, I would contact your Esri customer rep and get clarification directly from them regarding your account and application.

 

Edit:

The answer above is for organizations hosted by Esri on Arcgis.com. If you have the on-site install of ArcGIS Enterprise or ArcGIS Portal then you can use the method you described without violating the software license agreements from what I understand. But again, your Esri rep can confirm.

View solution in original post

4 Replies
TommyBramble
New Contributor III

While the method you described works, it is likely violating the Terms of Use of the ArcGIS Online account as you are embedding a single named user to access private content on behalf of other users.

https://www.arcgis.com/home/termsofuse.html

See section 2.5.b. Value-added Applications.

If you want anonymous users to access content, then the content needs to be publicly shared. Otherwise, Esri wants a (licensed) named user for each individual that is accessing the private content. This is how it's been explained to me directly from Esri customer reps.

That said, I would contact your Esri customer rep and get clarification directly from them regarding your account and application.

 

Edit:

The answer above is for organizations hosted by Esri on Arcgis.com. If you have the on-site install of ArcGIS Enterprise or ArcGIS Portal then you can use the method you described without violating the software license agreements from what I understand. But again, your Esri rep can confirm.

PeterJohansson
New Contributor II

Thank you for this clarifying answer @TommyBramble 

As our portal is hosted on Arcgis.com and we are still in development phase, I will contact our Esri customer representative and clarify this further to secure that we continue with a valid solution.

I guess there are other users besides me that would like to know if there is any valid solution where organizational shared content actually can be shared within the organization, without making the content public or forcing all our internally authenticated users of the app to also have an ArcGIS account.

 

0 Kudos
TommyBramble
New Contributor III

You're welcome. Yes, this question does come up a lot with my clients, and unfortunately the answer is not what anyone wants to hear.

However, I do understand the policy from Esri's perspective. They would being giving away their product for next to nothing if they allowed just one licensed user to serve unlimited private user data to other users.

The way it was described to me by the Esri rep was; you can buy Arcgis Online for a lower price (~ $5000) and add users as you need (anywhere from $50-500 per user license depending on license/role type) or you buy ArcGIS Server and can use that however you want.

One potentially positive feature of the Arcgis.com path though; it was explained to me that we could add/remove users as needed, as much as needed (infinitely). So, for our value-added apps we only need enough licenses for the simultaneous users, not for every app user in our system. Additionally, Esri exposes pretty much all the Arcgis.com management functions through the REST API so you can develop creative solutions to manage your active licenses (e.g. add and remove users as necessary to keep your licenses count at or under your simultaneous users count).

Also, like you mentioned in your first post; if you don't need each user to have their own private content, then the developer account might be enough.

Cheers,

JoeHershman
MVP Regular Contributor

ArcGIS Enterprise is still licensed based on user counts.  You don't simply buy ArcGIS Enterprise and use it however you want.  Installing ArcGIS Server without the portal piece would be a different story