What's the proper configuration for proxy.config and config.json for a self-hosted Web AppBuilder for ArcGIS Web Application?

27487
20
Jump to solution
02-04-2015 03:10 PM
AlexMahrou
Occasional Contributor

I can't find a solid document on this, and Esri support was just trying to fill in the gaps....

I have an application that I configured through our web appbuilder for arcgis on our organization site. I have since downloaded the code and pasted the requisite json from the web app into the config.json on my web server at https://mywebserver/webapp

my proxy is located here: https://mywebserver/DotNet/proxy.ashx

I have registered the application and have a clientid, and secret on agol.

clientid: clientid123

appsecret: appsecret123

I can successfully browse to the application at https://mywebserver/webapp without the proxy and get prompted to enter my agol creds and it works. I just would like to remove the agol popup and enforce my own iis security. To do this I need a proper configuration in my proxy and in my json.config. Can someone use the variables that I quoted above and tell me what my <ProxyConfig> tags in my proxy.config file, and what my "httpProxy" section should look like in my config.json?

I think that's all I need. 😉

1 Solution

Accepted Solutions
AlexMahrou
Occasional Contributor

Okay, my reply is long overdue. But I have reached resolution!

I attempted to follow the documentation for the DotNet proxy on GitHub by inspecting examples and also followed the instructions here : on the "Manage Apps" section on the docs.arcgis.com site

In actuality there are three workflows that I've found. Items one and two will necessitate a proxy if you are to utilize AGOL items and wish to employ your web server's security. Item three will not require a proxy, but might require you to keep the Web Appbuilder version in sync with the Github LocalLayer Widget. I also believe that item three will not have any 1's and 0's going to agol either during client sessions.

  1. AGOL Web Appbuilder (download your code after configuration in AGOL). -- The example below
  2. Developer Edition Web Appbuilder
  3. Developer Edition Web Appbuilder with LocalLayer Widget :  Bypassing AGOL Items

Here's the variables:

---------------------------------------------------------

1. The Proxy Config:

<?xml version="1.0" encoding="utf-8" ?>

<ProxyConfig allowedReferers="*"

             mustMatch="true">

    <serverUrls>

        <serverUrl url="https://services.arcgisonline.com"

                   matchAll="true"/>

  <serverUrl url="https://mysite.com"

           matchAll="true"

           />

    

  <serverUrl url="https://myorg.maps.arcgis.com/"

    clientId="1111111111111111"

    clientSecret="22222222222222222222222222222222"

  oauth2Endpoint="https://myorg.maps.arcgis.com/sharing/oauth2/"

    rateLimit="600"

    rateLimitPeriod="60"

    matchAll="true">

</serverUrl>

</serverUrls>

</ProxyConfig>

<!-- See https://github.com/Esri/resource-proxy for more information -->

--------------------------------------------------------------

2. The Json code to add at the end of your config.json

"httpProxy" : {

  "useProxy" : true,

  "url" : "https://mysite.com/DotNet/proxy.ashx",

  "alwaysUseProxy" : false,

  "rules" : [{

  "urlPrefix" : "https://myorg.maps.arcgis.com/",

  "proxyUrl" : "/DotNet/proxy.ashx"

  }

  ]

  }

-------------------------------------------------------------------------------------------------------------

3. The Requisite Configurable App Registration Information on AGOL

URL: https://mysite.com/mywebapp

API: JavaScript

App Type: browser

Purpose: Configurable

Redirect URI's: http://mysite.com, https://mysite.com

View solution in original post

20 Replies
AlexMahrou
Occasional Contributor

BUMP

0 Kudos
ZhifangWang
Esri Regular Contributor

Hi Alex,

The reason why you can see the agol popup(oAuth2 authentication dialog indeed) is because your webmap or some layers in the webmap is not shared to public. Otherwise no authentication dialog will appear.

To remove the oAuth2 authentication dialog, it means on every request to private resources in your deployed app(private webmap or private layers in webmap) have to come along with a valid token. This can be done by putting a proxy which has valid token in it  in front of your deployed app, as long as the end users visit the deployed app through the proxy(indeed end users will not know the real url of the app), then no security challenge will occur to end user.

To achieve your goals, you need do following things:

  1. In your proxy file, write server code to process all requests to the private resources. Specifically, identify all requests that need token, and concatenate valid token to those requests.
  2. In your proxy file, write server code to refresh the token if it’s expired.
  3. Put your own IIS security challenge before the proxy, which also needs some code.

By the way, you've mentioned proxy.config and <ProxyConfig> tags, I assume you're using the sample proxy file from esri’s github. This proxy file is just too simple for you to achieve above goals, more server code is needed.

AlexMahrou
Occasional Contributor

Zhifang,

My only need is to remove the first popup for the agol map item authentication. There are no subsequent popups as this resides on my web server within my domain and I am using web auth tier security for the services referenced within.

I am in disagreement that there is much code needed server side. Otherwise why would you be able to register an application so easily with Esri? All I need to know is the json code to put in the end of my applications config.json and the proxy.config settings that will utilize the following variables:

clientid, appsecret, url: https://mywebserver/webapp

My proxy is located here: https://mywebserver/DotNet/proxy.ashx

I've provided the variables, I wonder if someone knows the answer...

ZhifangWang
Esri Regular Contributor

Hi Alex,

Registering an app in ArcGIS Online or Portal is mainly for oAuth2 authentication purpose, as soon as you got the Client ID and Client Secret, you have to exchange a valid token for your private resources by yourself. ArcGIS Online Authentication | ArcGIS for Developers

How the "proxy" part in config.json file works can be found here: Use proxy—Web AppBuilder for ArcGIS | ArcGIS. For your scenario, I think you have to write some server code in your proxy file to identify the requests to private resources and append valid token (it's your responsibility to get a valid token, also needs server code)  to those requests at least. In "proxy" part of config.json file, you may want to set some rules to reduce the unnecessary request passing to your proxy.

Hope this helps.

AlexMahrou
Occasional Contributor

Thank you Zhifang, but my services are using Web Tier authentication (Not GIS Tier with Tokens), as I have mentioned in the first post. The application sits on my web server. Thus the only thing that I would need to remove is the ArcGIS item popup. I have looked at the use proxy link that you have provided. I was just curious what the code in the proxy config would look like given my variables. I guess you don't know that. 😉

KellyHutchins
Esri Frequent Contributor

Alex,

Are you using the .NET proxy from github? If so you'll find info on the various options for configuring your proxy in the readme.

resource-proxy/README.md at master · Esri/resource-proxy · GitHub

0 Kudos
RyanStrain
New Contributor III

I would also like a little more clarity on the tags required in the config.json and proxy if someone can provide it? Possibly an example of each showing application level authentication?

This is what I'm using and it's probably not correct-

proxy-

<serverUrl url="http://adacountyitgis.maps.arcgis.com/"

    oauth2Endpoint="https://www.arcgis.com/sharing/oauth2"

    clientId="*****************"

    clientSecret="***********************************"

    rateLimit="600"

    rateLimitPeriod="60"

    matchAll="true">

      </serverUrl>

json-

"wabVersion":"1.1","isWebTier":false,"httpProxy":{"useProxy":true,"alwaysUseProxy":false,"url":"http://arcg.is/1vh66cC","rules":[{

  "urlPrefix": "http://adacountyitgis.maps.arcgis.com/",

  "proxyUrl": "http://mywebserver/proxy4/proxy.ashx"

  }]},"appId":"************************"}

If anyone could tell me what is missing, what should be removed or changed, it would be appreciated.

Thanks,

Ryan

MatthewCarey
Occasional Contributor

Alex, I share your frustration, it seems like it should be fairly simple.

Would someone be able to answer whether the scenario below is possible, and if so, how with the minimum of fuss?  (my apologies for the lousy presentation).

I have already achieved it *except* that a sign-in screen is popping up, and if all users are being forced to sign in, I might as well just send them straight to ArcGIS Online!

Btw the web server is not public-facing.

IsThisPossible.jpg

AlexMahrou
Occasional Contributor

Okay, my reply is long overdue. But I have reached resolution!

I attempted to follow the documentation for the DotNet proxy on GitHub by inspecting examples and also followed the instructions here : on the "Manage Apps" section on the docs.arcgis.com site

In actuality there are three workflows that I've found. Items one and two will necessitate a proxy if you are to utilize AGOL items and wish to employ your web server's security. Item three will not require a proxy, but might require you to keep the Web Appbuilder version in sync with the Github LocalLayer Widget. I also believe that item three will not have any 1's and 0's going to agol either during client sessions.

  1. AGOL Web Appbuilder (download your code after configuration in AGOL). -- The example below
  2. Developer Edition Web Appbuilder
  3. Developer Edition Web Appbuilder with LocalLayer Widget :  Bypassing AGOL Items

Here's the variables:

---------------------------------------------------------

1. The Proxy Config:

<?xml version="1.0" encoding="utf-8" ?>

<ProxyConfig allowedReferers="*"

             mustMatch="true">

    <serverUrls>

        <serverUrl url="https://services.arcgisonline.com"

                   matchAll="true"/>

  <serverUrl url="https://mysite.com"

           matchAll="true"

           />

    

  <serverUrl url="https://myorg.maps.arcgis.com/"

    clientId="1111111111111111"

    clientSecret="22222222222222222222222222222222"

  oauth2Endpoint="https://myorg.maps.arcgis.com/sharing/oauth2/"

    rateLimit="600"

    rateLimitPeriod="60"

    matchAll="true">

</serverUrl>

</serverUrls>

</ProxyConfig>

<!-- See https://github.com/Esri/resource-proxy for more information -->

--------------------------------------------------------------

2. The Json code to add at the end of your config.json

"httpProxy" : {

  "useProxy" : true,

  "url" : "https://mysite.com/DotNet/proxy.ashx",

  "alwaysUseProxy" : false,

  "rules" : [{

  "urlPrefix" : "https://myorg.maps.arcgis.com/",

  "proxyUrl" : "/DotNet/proxy.ashx"

  }

  ]

  }

-------------------------------------------------------------------------------------------------------------

3. The Requisite Configurable App Registration Information on AGOL

URL: https://mysite.com/mywebapp

API: JavaScript

App Type: browser

Purpose: Configurable

Redirect URI's: http://mysite.com, https://mysite.com