After I have registered an Application in My Content, using the AppID with the oAuth manager, I want to be able to limit the users that can authenticate to only members of a certain group.
So if I share the Application with only Group A, members of Group A should be the only ones that can sign in.
I have this setup in my organization, but oAuth is letting anyone with an ArcGIS Online account authenticate.
How do I restrict the users that can sign in?
Hi Kyle,
Have you tried to create groups so that it can restrict people who not in this group can't view webmap or other items?
Create groups—ArcGIS Online Help | ArcGIS
So technically you need use both OAuth and groups together to limit the members to view the app.
Hope this can help.
I have the application inside a group. The application doesn't access any webmaps or items.
Hi Kyle,
Have you tried to share the application within your group? You can open your browser developer tool to check what kind of response that you received when you running the application? Then we can trouble shooting the issue based on the error you get.
Yes, the application is shared within a group.
There is no error message.
The application is registered in ArcGIS Online, with an AppId.
I use that AppId within the oAuthInfo object.
var info = new OAuthInfo({
appId: myAppId,
popup: false
});
The problem is anyone with an ArcGIS Online account can sign in. How do I limit it to only members of the Application group?
Hi Kyle,
Esri's OAuth is just for you to login it, it does not take care of permissions, the permission checking could be implemented inside your own client implementation of Oauth.
You can take a look about this online documentation:
What is OAuth 2.0? | ArcGIS for Developers
In other words, OAuth 2.0 is not an identity provider because OAuth 2.0 does not know anything about users. It is not an authorization protocol because OAuth 2.0 does not care about what you authenticate or your permissions model. OAuth 2.0 only cares about HOW credentials are requested and transmitted over the network.
Thank you Yue Wu.
So when you say the permission checking could be implemented inside your own client implemenation of OAuth, I will have to check if the user that signed in is apart of the Group my application is shared in?
Checking user credentials.groups and comparing?
You're welcome
Yeah I think you are right, you can use ArcGIS REST API to check if user belongs to a Group