I am aware the EsriHttpClient class would include the token in requests made to ArcGIS Online, but I want to make requests to a service which uses ArcGIS Online for authorization, so I need to use the actual token.
Hi Tung Nghiem,
Currently there is no public API to hand out a token to the user. We are still evaluating the need to do so, given that we have provided EsriHttpClient class which should internally append token to requests if needed.
Can you give more details on why you need the token and what you are exactly trying to do?
Thank you for your reply.
The reason we need access to the token is because we want to use the ArcGIS Online user authorization and management capabilities with our service, rather than developing our own. The user would log in once with their ArcGIS Online credentials (in the web app or ArcGIS Pro), and then they will have access to both their ArcGIS Online data, as well as their data on our service.
Hope that makes sense.
I also have a use case for which access to the ArcGIS Online (AGOL) token is required. Our team is prototyping a solution that we intend to deliver after ArcGIS Pro 1.3 is released. We are eagerly awaiting this release for the "solution Based Configuration" presented at Dev summit earlier this year (by Charlie Macleod and Steve van Esch) in order to migrate a .NET runtime application into an ArcGIS Pro solution. We currently have a security model that leverages AGOL authentication to additionally secure our ASP.NET standalone services which in turn access token-secured services from an on premises ArcGIS Server. It is somewhat complex, but necessarily-so for a variety of business reasons. The model works well, and requires only a single sign-on to AGOL in order to provide security to the entire spectrum of services accessed by the client application.
When we migrate to ArcGIS Pro we will require access to the AGOL token via the Pro API in order to pass it to our proprietary services to work with the existing security model. As you mentioned, the EsriHttpClient class internally appends tokens to requests when needed, but I am concerned about two things in that regard:
Given that it is technically possible to examine the HTTP requests post-modification we can envision a hack solution that will allow us to obtain the Token, but we would much prefer to access the token via a sanctioned API method. Please consider augmenting the API with support for this capability.