A key requirement is for our users to NOT have an ArcGIS account. I don't want to burden the user with extra credentials to ESRI, they already have an account for our CMS which is where I want them to do most of their work.
Another requirement is for layers on the map (stored in AGOL) to remain private, with access granted via tokens or some form of server generated temporary credentials that doesn't require a separate login from the user to access.
Ideally, I would like to be able to generate temporary credentials on the server side of my application, that give time-limited access to certain resources, eg. Feature Layers. This is how I work with services like AWS S3, where I only want to give short term access to certain resources, without storing individual user accounts and permissions in AWS. This means my application has full access to my S3 content, and then the application is responsible for controlling what resources the user has access to, which is perfectly fine for me.
From browsing the documentation, it appears this isn't possible. Application Log-in seemed like the way forward initially, however I'm unable to access private content this way, only public which is not what I need.
Short of trying to sync my CMS user accounts with AGOL via their REST API, and then also sync permissions between my APP and AGOL (I want to control all access from my CMS as a central administration point), can anyone suggest how else I might achieve my requirements above in the ArcGIS ecosystem?
Esri's documentation clearly pushes users towards named user login for situations with non-public content: ArcGIS Security and Authentication | ArcGIS for Developers
Named user login vs. app login
Both authentication patterns are compared here and are based on token passing. To help you choose which authentication pattern best serves your needs ask yourself the following questions and use the capabilities table in this section to determine which capabilities you want to include in your app.
- Are my users also ArcGIS Online users?
- Do I want my users to pay for Premium Content?
- Do I want my users to access non-public content?
- Do I want to show a login form?
If the answer is "Yes" to any of the above questions then it is recommended to implement named user login.
App login or named user login, it is mostly semantics, right? Whether username/password or client_id/client_secret, both are just challenge-response means to authenticate.