Oauth2 - Access application resources

MartinWennerwald · ‎06-24-2020

Using ArcGIS Enterprise 10.8, we have added a new item – Application – to a users content.

This generates an Application item, with an App ID and APP Secret, along with App type and redirect URIs defined.

These can be used to generate an access token via the OAUTH2 token endpoint.

https://<domain>/sharing/rest/oauth2/token

using the parameters :

client_id=APPID&

client_secret=APPSECRET&

grant_type=client_credentials

ESRI States in their documentation:

“Successful authentication directly returns a JSON response containing the access token that allows the application to work with resources that are accessible to the application (that is, have been shared with the application). Use of the client_secret as previously described is mandatory.”

Question is: how do we share resources with the application?

The overall goal is to grant an external application (unknown user) access to portal ressources (ie.a layer item) via OAUTH2 app login.

PrestonMcCormick1 · ‎03-24-2025

I've got the same issue. The application shows up as content in ArcGIS Portal, so it seems to be something that you share, not something that you share things with. An application should be more like a user, so it can be granted or denied access to resources.

While only unsecured feature services are listed when querying available for available services using the application token, the app token grants full access to all feature service secured by the Portal. One of these behaviors is a bug.

PrestonMcCormick1 · ‎03-24-2025

I saw on another thread that the application has access to whatever its owner has access to. If that is the case, then you should be able to create an App User to own the app and then control access to services by sharing with the App User (instead of with with the app itself).