identity manager and local storage

danbecker · ‎05-02-2013

followed the example on how to persist identity manager info using local storage or cookie.
http://developers.arcgis.com/en/javascript/jssamples/widget_identitymanager_client_side.html

I've discovered a problem, occasionally you come back to the JS app using FireFox and you are prompted with identityManager signIn dialog. You enter valid credentials, the modal signIn disappears, then re-appears with an error: "this value is required" for the password field.

I was finally able to reproduce the problem, you can perform these steps with the above sample:

1. login to js app normally by supplying valid credentials
2. close the tab or browser; dojo.addOnUnload() stores the current, valid, credential object in localStorage as a string
3. locate the string in localStorage (i used SQLite Manager extension in FF)
4. change a single character in the token, you essentially in-validate the token
5. new tab in FF, try to login to the js app; you will be presented with the password error on the signIn dialog

Step 5 above, firebug never shows a call to the token service to obtain a new token. After pressing the OK button on the signIn dialog, all the layers are attempting to be accessed with a URL qString like so:
https://servicesbeta.esri.com/ArcGIS/rest/services/SanJuan/TrailConditions/FeatureServer/0?f=json&to...

I assume the token service is not called because the token that was loaded from localStorage is not expired, it's just invalid.

any advice on how to force identityManager to acquire a new token when the token in localStorage is invalid?

thanks.

danbecker · ‎05-02-2013

confirmed; if you set the "expires" value for the credential in localStorage to to a past timestamp, then browse to the app, the credential is loaded from storage, identityManager signIn dialog appears, and you can sign in normally. i.e. The tokenServiceURL is called like it should be.

So, why isn't the tokenServiceURL called when the token in storage is invalid and not expired?
Why does the stored token get corrupted, obiv. outside of manually corrupting it?

danbecker · ‎05-03-2013

workaround:

the only way I knew of detecting whether the stored token was invalid was to send an esri.request to the service.

If the error callback gets fired the token is either invalid or expired. At this point, the user needs to log in regardless, so just to be sure the identityManager calls the tokenServiceURL, we manually edit the stored token to be expired then refresh the state of the identityManager so it prompts for signIn.

function loadCreds() {
 var def = new dojo.Deferred();
 var idJson, idObject;
 if (supports_local_storage()) {
  idJson = window.localStorage.getItem(credential);
 } else {
  // read from a cookie
  idJson = dojo.cookie(cred);
 }
 if (idJson && idJson != "null" && idJson.length > 4) { //proceed with loading credential
  idObject = dojo.fromJson(idJson);

  var token = idObject.credentials[0].token; //token that was stored
  //query used to test if loaded token is valid
  var url = "https://mygis.server.com/arcgis/rest/services/folder/service/MapServer/0/query";
  var req = esri.request({
   url : url,
   content : {
    where : "aField='aValue'",
    f : "json",
    token : token
   }
  }, {
   useProxy : false
  });

  function success(data) {
   esri.id.initialize(idObject);
   def.resolve("valid token loaded");   
  }

  function error(error) {
   idObject.credentials[0].expires = 0000; //manually edit the loaded cred expireDate so the identityManager properly calls tokenService URL for new token
   esri.id.initialize(idObject);
   def.resolve("token invalid or expired");
  }
  req.then(success, error);
 }
 else{
  def.resolve("not loaded");
 }
 return def.promise;
}

var firstProcess = loadCreds();
firstProcess.then(function(loadCredResults){//wait for stored credentials to load
        return secondProcess();
}).then(function(secondProcessResults){//wait for the secondProcess
        finishInit();
});

PhilipKnight1 · ‎06-27-2017

I've been looking everwhere on how to use the identity manager in legacy mode. THANK YOU!

instead of using "esriId", I needed to do "esri.id"

KevinMacLeod1 · ‎05-07-2013

dbecker88 if I may ask you or others:

I'm trying for the first time to set up security. We have one service we want to use with tokens. Just http for now. (https later). We set up SQL database with some users and roles and enabled anonymous user roles.

I turned it to http following the docs - http://help.arcgis.com/en/arcgisserver/10.0/help/arcgis_server_dotnet_help/index.html#/Setting_up_us...

<Web server root>\ArcGIS\Tokens\web.config and other two files updated fine. Note.. there was no space in the second key line, make sure to check spaces pasting in the AppSettings keys!

We turned on the token service. I can get to our token service page fine with http://ourserver/tokens/gettoken.html

That generates a token fine.

However in our site and on the sample Sandbox (http://developers.arcgis.com/en/javascript/sandbox/sandbox.html?sample=widget_identitymanager_client...) ... the user / role we created for this Service fails.

I included Identity Manager and the local storage stuff from the sample (we want local storage for now, maybe proxy later..)

It pops up as it should, asks for credentials. But when I enter the user /pass it says "Unable to access the authentication service.
"

However... when I turn the service Permissions in ArcGIS Server Manager to "Everyone" it works just fine!

Interestingly though I noticed this secure service half-works on ArcGIS.com. I spied on it in F12/Firebug network connections and saw it got a token (the token at the end of the URL). However popups do not work. Even with everyone access. But that is fine, popups work with Everyone access in our site. It's only when we lock it down to the secured User that it fails, "Unable to access the authentication service."

Anyone seen this?

Called tech support, we couldn't fix it, we tried making a new user, new service/.msd, etc. Still happens. In fact I took the sample, but just stuck my secured service in it, same error. As both FeatureLayer and Dynamic. Will keep working on it, post results back...

danbecker · ‎05-07-2013

dbecker88 if I may ask you or others:

I'm trying for the first time to set up security. We have one service we want to use with tokens. Just http for now. (https later). We set up SQL database with some users and roles and enabled anonymous user roles.

I turned it to http following the docs - http://help.arcgis.com/en/arcgisserver/10.0/help/arcgis_server_dotnet_help/index.html#/Setting_up_us...

<Web server root>\ArcGIS\Tokens\web.config and other two files updated fine. Note.. there was no space in the second key line, make sure to check spaces pasting in the AppSettings keys!

We turned on the token service. I can get to our token service page fine with http://ourserver/tokens/gettoken.html

That generates a token fine.

However in our site and on the sample Sandbox (http://developers.arcgis.com/en/javascript/sandbox/sandbox.html?sample=widget_identitymanager_client...) ... the user / role we created for this Service fails.

I included Identity Manager and the local storage stuff from the sample (we want local storage for now, maybe proxy later..)

It pops up as it should, asks for credentials. But when I enter the user /pass it says "Unable to access the authentication service.
"

However... when I turn the service Permissions in ArcGIS Server Manager to "Everyone" it works just fine!

Interestingly though I noticed this secure service half-works on ArcGIS.com. I spied on it in F12/Firebug network connections and saw it got a token (the token at the end of the URL). However popups do not work. Even with everyone access. But that is fine, popups work with Everyone access in our site. It's only when we lock it down to the secured User that it fails, "Unable to access the authentication service."

Anyone seen this?

Called tech support, we couldn't fix it, we tried making a new user, new service/.msd, etc. Still happens. In fact I took the sample, but just stuck my secured service in it, same error. As both FeatureLayer and Dynamic. Will keep working on it, post results back...

trying to remember back to server 10....we also really struggled with the initial setup of sql users/roles. IMO, if you have the ability, upgrade to 10.1 and scrap sql users/roles. The integrated 10.1 user/role store is 100% easier and doesn't require sql. When we upgraded, I ended up having to re-enter 100's of users into the integrated 10.1 security store, but it was well worth it IMO. The 10.1 manager is also 100% better.

Back to 10...are you able to successfully connect to sql database in manager? When you assign a role to your service, (i can't remember exact steps) but we had 2 locations that roles were displayed, local and domain **i think**. If we added the role from one, it wouldn't work, but from the other it did. This was because the GIS server was also a AD domain server.

this isn't a JS problem, it's a server 10 .NET config issue

KevinMacLeod1 · ‎05-08-2013

Dan thank you for your reply.

I figured it out -- we needed to add a proxy. We added a proxy and put the token in there. We generated the token from the generator page. Now it works. Although in theory I guess your approach -should- work... Of course, storing a long token in the proxy is not the best approach, but it works for now.

Also the legend icons do not load in AGS JS TOC widget but there is already a thread about that... a couple years old! http://forums.arcgis.com/threads/38631-Legend-doesn-t-work-with-secure-map-services?p=296201#post296...

And thank you for the advise and I have heard that elsewhere -- that security is both better and more simplified for deployment in 10.1. We will look in to this. And 10.2...