Here's an interesting edge case that I'd like to put out there in case anyone can help....
Lets say I have a secure feature service published by an arcgis server (for arguments sake let's say it's 10.4.1 if that matters).
I add that feature service as a stored item in AGOL with saved credentials. I can now add that item to web maps etc, so long as I'm logged into AGOL.
When you add a feature service to AGOL like this, it creates a proxy url, so to speak, that redirects to the actual underlying feature service url.
Now, let's say I'm using AppStudio to interact with that item/feature service. I log into AGOL using the 'Portal' object. I then try to do a 'fetch feature service info' using a 'ServiceInfoTask', using the proxy url as the ServiceInfoTask url. This fails because it doesn't have a valid token or authorization.
The proxy url it creates begins with "https://utility.arcgis.com/usrsvcs/servers/....etc". I tried adding that url to the identity manager using the portal credential object but that didn't work. Obviously I can't hit the source url of the actual portal feature service as the credential for that is stored in AGOL.
Any ideas how I might access the underlying feature service, via the AGOL stored item?
So basically you are referring to a hosted secured feature service. Did you end up sharing the item to public? If you did then your underlying secured feature will work as the credentials (for the actual arcgis secured service) are stored within the item. And you should be able to access it.
If you don't want this way. Then you have to go through the OAuth2 Authentication, because at this point it is not about ArcGIS Server secured service. I would recommend you to have a OAuth authentication login page for your app. Then you should be able to access the item
So, if I understand correctly, what you are saying is that the AGOL won't forward the appropriate request on to the arcgis server using the stored credentials, and that the app would also need to authenticate directly for the arcgis server (e.g. using OAuth). So the user would need to authenticate once for AGOL and once for the server - so no real point in adding the item to AGOL in the first place - is that correct?
Or, if the argis server and AGOL were both configured to use the same OAuth identity provider then we would be able to get away with a single sign on then....
(to clarify, sharing the data publicly is not the intent. The intent is for the the data to be consumed by logged in AGOL users).
Actually, there will be only single sign in using the Portal named user in your app and the secured service should work without any further sign in since the credentials are stored within the item. Just like it does using the ArcGIS online or Portal.
I don't have Portal and I am unclear why you are adding your secured feature service to AGOL, so I might be missing something, but maybe this will help. You can access an ArcGIS Server secured feature service directly from your AppStudio app and add a proxy to your web server to handle the security.
Here's directions on how to download and install proxy: resource-proxy/DotNet at master · Esri/resource-proxy · GitHub That's where you put your credentials, token url for the secured feature service, and allowed referers. (ArcGIS Server secured feature service credentials, not AGOL credentials)
I'm not sure what the best practice would be for implementing in AppStudio app, but right now I'm just using this format for the "featureServiceURL" in the appinfo.json file: