Hi,
bit of a background. we have a SPA (single page application) at frontend, and backend is running on NodeJS. When user opens the application, the app will authenticate the user based on the route to a relevant portal. E.g. if he opens the route that is listing the AGOL related content, the application will prompt OAuth2.0 sign in for that portal (unless he is already signed in). So there are multiple portals and application is conveniently switching between the different portal accounts for the user using the application, and the application has all the tokens generated by the OAuth process available.
We also have a back-end, which can be harvesting some data at the background from different portals using mainly the admin accounts, or accounts that are usually of the top-privileged roles, and this all works well.
However, I'd like to add a authenticating middle-ware on our nodejs api, that would take the user's token (SPA will provide this token) and possibly a username, and I'd like to be able to verify this token/username with the ArcGIS Portal. Is there a way to do it?
Ideally I'd like to have a endpoint in portal, to which I can provide the token coming from the user, and the portal would tell me it's this user and the token is valid. I can then gather what I need about the user and either allow the code to execute further or raise 401.
Any ideas ?
Thank you!
Solved! Go to Solution.
Hi please take a look at
Portal Self—ArcGIS REST API: Users, groups, and content | ArcGIS for Developers
which will return you
"user": {
"username": "<username>",
"id": "<id>",
"fullName": "<first name> <last name>",
"availableCredits": <available credits>,
"assignedCredits": <allocated credits>,
"firstName": "<first name>",
"lastName": "<last name>",
"preferredView": "Web" | "GIS" | null,
"description": "<description>",
"email": "<email address>",
"idpUsername": "<username>",
"favGroupId": "<group id>",
"lastLogin": <date of user last login shown in UNIX time>,
"mfaEnabled": true | false,
"access": "private" | "org" | "public",
"storageUsage": <storage used - bytes>,
"storageQuota": <storage quota - bytes>,
"org id": "<organization id>"
"role": "org_admin" | "org_publisher" | "org_user",
"privileges": [
"<privilege1>",
"<privilege2>",
"<privilege3>"
...
],
"disabled": true | false,
"userLicenseTypeId": "<user license type id>",
"units": "english" | "metric",
"tags": [
"<tag1>",
"<tag2>"
],
"culture": "<culture code>",
"region": "<region>",
"thumbnail": "<file name>",
"created": <date created shown in UNIX time>,
"modified": <date modified shown in UNIX time>,
"provider": "arcgis" | "enterprise" | "facebook" | "google"
},
Hi please take a look at
Portal Self—ArcGIS REST API: Users, groups, and content | ArcGIS for Developers
which will return you
"user": {
"username": "<username>",
"id": "<id>",
"fullName": "<first name> <last name>",
"availableCredits": <available credits>,
"assignedCredits": <allocated credits>,
"firstName": "<first name>",
"lastName": "<last name>",
"preferredView": "Web" | "GIS" | null,
"description": "<description>",
"email": "<email address>",
"idpUsername": "<username>",
"favGroupId": "<group id>",
"lastLogin": <date of user last login shown in UNIX time>,
"mfaEnabled": true | false,
"access": "private" | "org" | "public",
"storageUsage": <storage used - bytes>,
"storageQuota": <storage quota - bytes>,
"org id": "<organization id>"
"role": "org_admin" | "org_publisher" | "org_user",
"privileges": [
"<privilege1>",
"<privilege2>",
"<privilege3>"
...
],
"disabled": true | false,
"userLicenseTypeId": "<user license type id>",
"units": "english" | "metric",
"tags": [
"<tag1>",
"<tag2>"
],
"culture": "<culture code>",
"region": "<region>",
"thumbnail": "<file name>",
"created": <date created shown in UNIX time>,
"modified": <date modified shown in UNIX time>,
"provider": "arcgis" | "enterprise" | "facebook" | "google"
},
I can't believe I haven't thought of that, had it right under my nose! thanks
@Anonymous User @VictorTey
This let you verify the username but how do you verify the token? Did you find a way?
I know it's old, but maybe it will help someone.
If you send invalid token in request to endpoint mentioned by @VictorTey , you will get error code 498 (invalid token), and if you will not give token at all, then "user" part of json won't be present. So you can use this endpoint to validate token and get info about user it was issued for.
/portals/self is (or can be?) an unprotected resource so the accepted answer may not work.
What they likely meant was /community/self
https://developers.arcgis.com/rest/users-groups-and-items/self/
which is the authenticated user's info
Note that if you try to access protected resource unauthenticated, you still get HTTP/200. It's only the response content that indicates the problem: