While ArcGIS Enterprise nominally supports the client_credentials OAuth2 flow, its behavior is highly non-standard. In fact, it turns out the app must be owned by the same user as the resources it can access. This is not ideal. There is documentation that outlines this restriction and why it exists.
However, the standard behavior for this type of application or service user (client) would be for the application to have its own access privileges instead of assuming those of its owner. The client could be granted permission to a single service from a user who has published many services. It could be granted permission to access services published by different users. The owner of the client should be able to rotate the client secret.
Let's outline a scenario:
Publisher A works on projects with a variety of clients in a large enterprise organization. They have several services they publish, including a tax parcels service and a custom geocoder.
Client B wants to use the custom geocoder in their application. The organization's security policy specifies that API keys should be rotated every 90 days.
Client C wants to use the tax parcels service and the custom geocoder in their application as part of a weekly validation routine on some of the data Client C works with. The process takes a while, and runs automatically overnight.
Under the existing ArcGIS Enterprise behavior, Publisher A needs to create two API keys. They will then share the secret information with Clients B and C, including the quarterly rotation for Client B. These API keys will have access to all the services that Publisher A owns. The security team is not thrilled by this arrangement.
A better method would be for Clients B and C to create API keys (B-app and C-app), and for Publisher A to grant those API keys access with appropriate permissions levels to the geocoder service (for both B-app and C-app) and the tax parcel service for C-app.
Because Client B owns the B-app API key, they can rotate the key when they need to (client_id being constant and what is tied to the permissions). Their API key can only access what it needs to.
Similarly, Client C owns the C-app API key, and can also rotate the key when they need to. Their API key can access the services it needs with the permissions it needs, but doesn't assume the permissions of its owner.
Clients B and C are happy, because their applications can get the data they need in a fully automated way. The security team is pleased that the applications have the least privileges needed, and that secrets don't need to be shared between Publisher A and Clients B and C. Publisher A is happy that they don't need to be involved when a client needs to rotate their API key, and that they can keep their clients from having the full access to many datasets that Publisher A has.
Continuing the line of thought above, I am working to get per-user or per-application statistics on usage for some of my services. However, with the current API key situation, the generated token will be logged at service level as being from the API key's owner, not as from the API key (with app id) itself. That causes problems with the situation above:
Publisher A has created API Key B for Client B and API Key C for Client C. Leaving aside the issues outlined about key rotation and security, now when these applications access the service, all of the hits logged with the service come from Publisher A! This does not allow tracking the usage on a per-API-key basis.
If the client credentials key were treated as a separate user with its own permissions, which is how the OAuth standard imagines this working, it can then be given access to the service but owned by whichever client user needs it. When logged against the service, it could be logged as User: API Key C instead of User: Publisher A, which then helps solve the usage statistics problem I'm trying to solve.
The lack of functional client_credentials OAuth2 tokens continues to be a pain point in my organization and others. A colleague recently wanted to set up an automated process to access a feature service in their organization's ArcGIS Enterprise deployment. They have business needs to keep the users limited to Active Directory users only (no built-in users), and as data providers, having API keys with vastly more access than is needed does not work well for them.
Our IT admins and security team would all be much happier if we could create API keys that can themselves be given permissions on (and limited to) specific resources and where usage could be tracked to the application using that service.
Even if a non-service-owner user could maintain their own API key which has their level of access to a service would be a step up from where things are now.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.