How to launch login straight to external OAuth identity provider

1490
10
06-20-2018 09:00 PM
Highlighted
Regular Contributor

Hi all.

This question relates to using OAuth with ArcGIS Online.

The standard workflow using OAuth as I understand it is:

My question is, how do you skip the first step? I want an application to jump straight to displaying the external login page.

I can't seem to figure out how to trigger the OAuth workflow without the user first seeing the AGOL page and manually clicking the button to launch the external login page.

cheers,

-Paul

Tags (3)
10 Replies
Highlighted
Esri Frequent Contributor

HI Paul,

Are you looking to use an oAuth login with Enterprise logins in ArcGIS Online or built-in ArcGIS Online usernames?

ArcGIS Security and Authentication | ArcGIS for Developers 

If this is for a custom application, which API or SDK are you using?

-KElly

Reply
0 Kudos
Highlighted
Regular Contributor

Using enterprise logins.

Using JavaScript api for web development and AppStudio (Qt SDK) for mobile development.

Cheers

Paul

Sent from my iPhone

Reply
0 Kudos
Highlighted
Frequent Contributor

Check out this OAuth sample we have in the JSAPI SDK.

Access ArcGIS Online items using OAuthentication | ArcGIS API for JavaScript 4.7 

What you can do is as soon as the application starts do something like this.

esriId.checkSignInStatus(info.portalUrl + "/sharing").then(
  function() {
    esriId.getCredential(info.portalUrl + "/sharing");
  }
).catch(/*give user an option to sign in*/);‍‍‍‍‍

There's also a DevLab that is very similar.

Access private layers | ArcGIS for Developers 

In both cases they do the above on a link click, but you can skip that and do it immediately.

For more details, you can check out the doc for IdentityManager

IdentityManager | API Reference | ArcGIS API for JavaScript 4.7 

and Portal

Portal | API Reference | ArcGIS API for JavaScript 4.7 

Highlighted
Regular Contributor

Hi Rene

Thanks for the reply. I took a look at that sample, but it demonstrates exactly what I'm trying to avoid.

In that sample, you click the 'Sign In' link, then a page pops up asking the user to grant permission for the app to access their account. It is this page that I am trying to skip, and go directly to the external enterprise login page. There is no other option for the user other than granting permission and so I want to avoid this page altogether.

I realise that the asking to grant permission is part of the standard OAuth authorization workflow, so I'm looking for an alternative workflow that still ends up with us having an OAuth refresh token and access token that we can pass to the appropriate Identity Manager in the SDKs.

If anything, I suspect it might be something to do with using a different grant type, but this is what I'm not sure about.

Any further tips?

cheers,

-Paul

Reply
0 Kudos
Highlighted
Regular Contributor

The links below might help. What I'm trying to achieve is probably what's described in those articles as 'Identity Provider Initiated Logins'. If anyone can provide more information on how to set up this workflow please let me know. The documentation talks about setting up federation between ArcGIS Online and certain IDP, but don't go into any particular detail about how to initiate an identity provider login, everything seems to relate to SP initiated logins.

http://proceedings.esri.com/library/userconf/proc16/tech-workshops/tw_314-220.pdf 

Set up enterprise logins—ArcGIS Online Help | ArcGIS 

Reply
0 Kudos
Highlighted
Regular Contributor
Reply
0 Kudos
Highlighted
Regular Contributor

Hello,

I know Oauth2 is an authorization protocol meaning that you have to ask permission to the user to allow an application  (eg: WebMap app) to access information about that user hosted on a plateform (eg: ArcGIS Enterprise).

But as an organization hosting and securing data on an ArcGIS Enterprise, I think it would make sense to be able to register "official" applications that would be allowed to skip the authorization form

If Google asked you to grant permission to Google every time you logged in to gmail it would be pretty confusing. Allowing first party clients to skip the authorization prompt is supported by the majority of OAuth servers: Auth0, Otka, Doorkeeper, Django OAuth Toolkit, IdentityServer, Keycloak, Ory Hydra, and others.

As our ArcGIS Enterprise is configured with our SAML identity provider, the authorization form is preventing an SSO experience within the organization and is confusing for the end user which has no idea that behind the scene there is an ArcGIS Enterprise.

So far I don't think it is doable, isn't it ? Do you think an ArcGIS Idea should be created ? It is something you would consider ?

Thanks,

Nicolas

Reply
0 Kudos
Highlighted
Regular Contributor

Kelly Gerrow‌, any thought about this request ?

I created an Idea but did not get any feedback so I was wondering if I missed anything ?

I believe this is something that would ask many organization but maybe I am mistaken.

Thanks !

Reply
0 Kudos
Highlighted
New Contributor II

Any update on this? I'm running into this exact same issue and cannot find any documentation or examples anywhere that explain how to achieve this. I'm beginning to think this isn't possible. My scenario:

A front-end client app using Azure AD Authentication.

A back-end custom API using Azure AD Authentication.

An ArcGIS Enterprise site with Azure AD IDP and SSO configured.

The front-end client app has permissions for the back-end custom API app registration and the ArcGIS Enterprise app registration.

When I request an access token from Azure AD (using my client app id), and then register this token with the JSAPI IdentityManager, when calling portal.signIn(), i get a 'token is invalid' response. Not sure what I'm missing.

Using the Microsoft Authentication Library (MSAL) I can very easily manage OAuth flow between client-app and custom back-end API. I don't see why I cannot achieve the same flow with ArcGIS Enterprise, as it is also registered in Azure AD. 

Any help or insight greatly appreciated!