Community
Select to view content in your preferred language

Oauth2 - Access application resources

1219
3
06-24-2020 11:41 PM
MartinWennerwald
by
Emerging Contributor
‎06-24-2020 11:41 PM

Using ArcGIS Enterprise 10.8, we have added a new item – Application – to a users content.

 

This generates an Application item, with an App ID and APP Secret, along with App type and redirect URIs defined.

These can be used to generate an access token via the OAUTH2 token endpoint.

https://<domain>/sharing/rest/oauth2/token

 

using the parameters :

 

client_id=APPID&

client_secret=APPSECRET&

grant_type=client_credentials

 

ESRI States in their documentation:

“Successful authentication directly returns a JSON response containing the access token that allows the application to work with resources that are accessible to the application (that is, have been shared with the application). Use of the client_secret as previously described is mandatory.”

 

Question is: how do we share resources with the application?

 

The overall goal is to grant an external application (unknown user) access to portal ressources (ie.a layer item) via OAUTH2 app login.

3 Replies
PrestonMcCormick1
by
New Contributor
‎03-24-2025 08:31 AM

I've got the same issue.  The application shows up as content in ArcGIS Portal, so it seems to be something that you share, not something that you share things with. An application should be more like a user, so it can be granted or denied access to resources.

While only unsecured feature services are listed when querying available for available services using the application token, the app token grants full access to all feature service secured by the Portal.  One of these behaviors is a bug.

0 Kudos
PrestonMcCormick1
by
New Contributor
‎03-24-2025 08:56 AM

I saw on another thread that the application has access to whatever its owner has access to.  If that is the case, then you should be able to create an App User to own the app and then control access to services by sharing with the App User (instead of with with the app itself).

JackFanZhang
by
Frequent Contributor
‎06-23-2025 06:43 AM

We are on ArcGIS Enterprise v11.3 and still see the same behavior. doc was very unclear and confusing. Once found out, it is an obvious bug and serious security loophole. Customers like us had no choice but use workaround like @PrestonMcCormick1 mentioned to patch the hole. Fortunately, 11.4 seems have add the option to share specific item to the App Credential where it talked about 

Item access privileges

 OAuth credentials (for app authentication) | Documentation | Esri Developer

0 Kudos