Perhaps my original post was unclear. I was trying to authenticate users through my own web application, and after they had successfully authenticated, I wanted to allow them to access secure Portal resources through a map that I configured with the JavaScript API. I didn't want the user to be prompted to log in twice, and I didn't want them to have individual Portal accounts.
I now have this working. ESRI's application authentication pattern provides this functionality (ArcGIS Security and Authentication.) The web app authenticates using a proxy (Esri/resource-proxy). This allows the registered web application to login to Portal using a single application user and password without requiring each user to have an account on the ESRI Portal. This can be done without the proxy, but the proxy simplifies the security and token exchange.
While there are many articles mentioning application authentication, proxies, tokens, and the JavaScript API, there isn't a clear tutorial on how to combine them, which was the impetus for my original post. Here are the basic steps required with some links to useful tips. It's not comprehensive, but maybe it will help someone else who is trying to sort it out.
- Set up your web application on your web server (this is your custom web site)
- Add and register your app in ArcGIS Online or Portal (Add items—Portal for ArcGIS (10.3 and 10.3.1) | ArcGIS for Server ). Use the URL of the new web site created in the previous step. Note the appId and appSecret.
- Set up the proxy on the same web server as the application (Esri/resource-proxy · GitHub ). Use the appId and appSecret from previous step.
- Configure the proxy using your server's settings (Esri/resource-proxy · GitHub )
- Write the JavaScript to display the map and access the secure resources after authenticating (Using the proxy | Guide | ArcGIS API for JavaScript )
