Community

Application sharing and oAuth

2590
7
04-25-2016 04:26 PM
KyleDunaway
by
New Contributor III
‎04-25-2016 04:26 PM


After I have registered an Application in My Content, using the AppID with the oAuth manager, I want to be able to limit the users that can authenticate to only members of a certain group.

So if I share the Application with only Group A, members of Group A should be the only ones that can sign in.

I have this setup in my organization, but oAuth is letting anyone with an ArcGIS Online account authenticate.

How do I restrict the users that can sign in?

0 Kudos
7 Replies
YueWu1
by Esri Regular Contributor
Esri Regular Contributor
‎04-25-2016 04:45 PM

Hi Kyle,

Have you tried to create groups so that it can restrict people who not in this group can't view webmap or other items?

Create groups—ArcGIS Online Help | ArcGIS

So technically you need use both OAuth and groups together to limit the members to view the app.

Hope this can help.

KyleDunaway
by
New Contributor III
‎04-25-2016 04:51 PM

I have the application inside a group.  The application doesn't access any webmaps or items.

0 Kudos
YueWu1
by Esri Regular Contributor
Esri Regular Contributor
‎04-26-2016 09:36 AM

Hi Kyle,

Have you tried to share the application within your group? You can open your browser developer tool to check what kind of response that you received when you running the application? Then we can trouble shooting the issue based on the error you get.

0 Kudos
KyleDunaway
by
New Contributor III
‎04-26-2016 09:46 AM

Yes, the application is shared within a group.

There is no error message.

The application is registered in ArcGIS Online, with an AppId.

I use that AppId within the oAuthInfo object.

var info = new OAuthInfo({

                appId: myAppId,

                popup: false

            });

The problem is anyone with an ArcGIS Online account can sign in.  How do I limit it to only members of the Application group?

0 Kudos
YueWu1
by Esri Regular Contributor
Esri Regular Contributor
‎04-26-2016 10:37 AM

Hi Kyle,

Esri's OAuth is just for you to login it, it does not take care of permissions, the permission checking could be implemented inside your own client implementation of Oauth. 

You can take a look about this online documentation:

What is OAuth 2.0? | ArcGIS for Developers

In other words, OAuth 2.0 is not an identity provider because OAuth 2.0 does not know anything about users. It is not an authorization protocol because OAuth 2.0 does not care about what you authenticate or your permissions model. OAuth 2.0 only cares about HOW credentials are requested and transmitted over the network.

0 Kudos
KyleDunaway
by
New Contributor III
‎04-26-2016 10:40 AM

Thank you Yue Wu.

So when you say the permission checking could be implemented inside your own client implemenation of OAuth, I will have to check if the user that signed in is apart of the Group my application is shared in?

Checking user credentials.groups and comparing?

0 Kudos
YueWu1
by Esri Regular Contributor
Esri Regular Contributor
‎04-26-2016 10:44 AM

You're welcome

Yeah I think you are right, you can use ArcGIS REST API to check if user belongs to a Group

ArcGIS REST API - Group User