Call REST API using OAuth Token issued by Azure AD

1882
8
03-15-2020 04:23 AM
TonyCollins
New Contributor III

Hi,

I have a ArcGISJavaScript API application that on-boot authenticates a user with Azure Active Directory.

Is there a way to use an AccessToken returned to access secured services on ArcGIS Enterprise that uses this Azure AD as it's IDP?


0 Kudos
8 Replies
BenElan
Esri Contributor

Have you configured your Enterprise with SAML? Here are instructions specific to Azure AD.

If so, the best way to do this is instead of your JS app authenticating with your Azure AD, you redirect it to your Portal sign in page which is set up with SAML. Your Portal then authenticates with your Azure AD, creates an ArcGIS Token, and then redirects back to your application with the token which allows you to access secured services.

To do this, you would need to set up an application in your portal to get an App ID. The code below would be used to authenticate

<!DOCTYPE html>
<html>

<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <meta name="viewport" content="initial-scale=1, maximum-scale=1,user-scalable=no" />
  <title></title>
  <link rel="stylesheet" href="https://js.arcgis.com/4.14/esri/themes/light/main.css" />
  <script src="https://js.arcgis.com/4.14/"></script>
  <style>
    html,
    body,
    #viewDiv {
      padding: 0;
      margin: 0;
      height: 100%;
      width: 100%;
    }
  </style>
  <script>
    require([
      "esri/identity/OAuthInfo",
      "esri/identity/IdentityManager",
    ], function (OAuthInfo, esriId) {

      var info = new OAuthInfo({
        appId: "APPID",
        portalUrl: "https://SERVERNAME/portal",
        popup: false
      });
      esriId.registerOAuthInfos([info]);
      esriId.getCredential(info.portalUrl + "/sharing");
      esriId.checkSignInStatus(info.portalUrl + "/sharing")
        .then(function (evt) {
          initMap();
        })
        .catch(function (err) {
          console.log(err);
        });

        function initMap() {
          // do stuff here
        }
    });
  </script>
</head>

<body>
  <div id="viewDiv"></div>
</body>

</html>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍
0 Kudos
TonyCollins
New Contributor III

Hi Ben,

Yes Enterprise has been configured to use Azure AD, but the application needs to authenticate with Azure directly as there is another Azure hosted API that the application consumes. We do not want the client to have to log-in with the same account twice so I was hoping that ArcGIS Enterprise could work with a user that has already authenticated with Azure?

Kind Regards,

0 Kudos
BenElan
Esri Contributor

I haven't worked with Azure AD much, but when you set up your authentication with the method I mentioned above, it will also be authenticating with your IDP. The issue with going directly through your Azure AD is that an ArcGIS Token is never created. I would suggest trying the method above and seeing if your Azure AD auth info is saved as either a cookie or local/session storage once you are redirected back to your application. If so, you should still be able to use the other API hosted through Azure.

0 Kudos
TonyCollins
New Contributor III

I think maybe this is a bit chicken and egg, as like you say I am missing an ArcGIS Token using the current method, but switching to an ArcGIS Enterprise login I think I would be missing the Azure ID Token I need to request the API Access Token for consuming the API?

0 Kudos
BenElan
Esri Contributor

You should still have the Azure ID Token with this method. To test this, try logging in to your Portal with your Azure AD credentials. Does an Azure ID Token get saved in your cookies or local/session storage?

Edit: You can check in Chrome: View, Edit, And Delete Cookies With Chrome DevTools 

0 Kudos
TonyCollins
New Contributor III

Hi Ben,

Hope things aren’t too bad for you with what’s going on, I can see a lot of Covid-19 maps based on Esri tech at the moment.

So when I log into Enterprise I get the following Keys:

Local Storage:

esriJSAPIOAuth (Looks like a Portal Token)

Cookies:

AGS_ADMIN_TOKEN

AGS_PRIVILEGE_TOKEN

esri_auth

rsaPublicKey

None of these ‘look’ like they hold an Azure ID Token, but they do all have a token of some form

I have looked online, but I can’t find any Esri documentation on whether an Azure ID Token is sent back to the client on successful sign-in using Enterprise login.

Thanks for your help with this.

Kind Regards,

0 Kudos
BenElan
Esri Contributor

Hi Tony,

I'm good, thanks. Hope things aren't too crazy on your end as well.

Hm.. yeah as I mentioned I am not too familiar with the way Azure AD works. Can you see if there is an Azure AD token in the cookies/storage of your JavaScript app after signing in?

It may be worth switching the auth workflow to the one above just to see if both of the APIs end up working.

If you would like help setting up the workflow or if you try and it doesn't work, I would suggest contacting Technical Support. It would be a lot easier to troubleshoot the issue with the ability to share screens and speak over the phone. If you do, put the product as the ArcGIS JavaScript API and attach this thread to the notes. I will tell my team that I have been working with you and that I will own the ticket.

Ben

0 Kudos
Ranga_Tolapi
Occasional Contributor II

Hi Tony,

Got any luck? Will you be able to share your current approach?

 Thank you.

0 Kudos