OAuth App logins and sharing

3499
3
08-12-2013 05:56 AM
DominicStubbins
New Contributor II
The documentation for App logins using OAuth states

Successful authentication directly returns a JSON response containing the access token that allows the application to work with resources that are accessible to the application (that is, have been shared with the application).


I'm not clear what "shared with the application" means? There does not appear to be an obvious mechanism to do this.  My experimenting seems to show that to access data services they must be "owned" by the developer, which makes sense.  Is this the case, and perhaps the doc needs updating or am I missing something  (I see this behavior with both developer and the organisational plans)

thx

DS
Tags (2)
0 Kudos
3 Replies
PatrickArlt1
Esri Contributor
dstubbin,

I think this does need to be updated. Applications should be able to access anything the owner of that application can access.
0 Kudos
PatriceFREYDIERE
New Contributor II
dstubbin,

I think this does need to be updated. Applications should be able to access anything the owner of that application can access.


Hello, i had a couple of tests regarding this assumption. It seems to be true for WebMaps, Services but not on group description.

when using an OAuth2 app login to get a group description, the REST API return an unauthorized access :

url : http://d8esrifrance.maps.arcgis.com/sharing/rest/community/groups/86cbe8647e904a958fb272f8cae3c86a?f.....

return :
{"error":{"code":403,"messageCode":"GWM_0003","message":"You do not have permissions to access this resource or perform this operation.","details":[]}}

it works fine when the token belongs to the app owner, generating the owner's token using generateToken, the same REST call succeed

bug ? or are there any limitations on permission using the app login thank's to OAuth2


Patrice
0 Kudos
SuneDue_Møller
New Contributor III
As I understand it ArcGIS Online has two types of accounts: user accounts (username/password) and application accounts (appId/appSecret).

When you invite a customer into a group you are always granting permissions to a user account. There is no way to invite an application into a group (at least not through the web interface). This means that an Organization (A) user can see content from Organization (B), but an Organization (A) application cannot.

BTW: I hope esri will consider changing this. But the reason for not doing so might have something to do with the business model around AGOL.

- Sune
0 Kudos