Community

AuthenticationManager for secured services internal ArcGIS Server

1508
5
06-17-2019 12:54 PM
by Anonymous User
Not applicable
‎06-17-2019 12:54 PM

I have a question regarding AuthenticationManager when pointed at internal secured services (on internal ArcGIS Token Authentication Service).  Can I use AuthenticationManager against such services in Android?  All the samples I see for Android are used with Portal, not with an individual secured feature service pointed at internal ArcGIS Server.  Getting Portal to authenticate is a breeze as follows....

final AuthenticationChallengeHandler handler = new DefaultAuthenticationChallengeHandler(activity.get());
final OAuthConfiguration oAC = new OAuthConfiguration(urlLogin, Client_ID2, "my-arcgis-app://auth", OAUTH_EXPIRATION_NEVER);
AuthenticationManager.addOAuthConfiguration(oAC);

AuthenticationManager.setAuthenticationChallengeHandler(handler);

I see a couple of methods in .NET which I also cannot seem to get to work in a WPF project that do not seem available in Android....Seems strange I would need to provide a client re-direct for a secured service...Thought that was only for portal?

https://developers.arcgis.com/net/latest/android/guide/use-the-authentication-manager.htm

OAuth authorization

// define server info for an OAuth (authorization code) server var serverInfo = new ServerInfo { ServerUri = new Uri(ServerUrl), TokenAuthenticationType = TokenAuthenticationType.OAuthAuthorizationCode, OAuthClientInfo = new OAuthClientInfo { ClientId = ClientId, ClientSecret = ClientSecret, RedirectUri = new Uri(RedirectUrl) } }; // register the portal with authentication manager AuthenticationManager.Current.RegisterServer(serverInfo);

HTTP (integrated Windows authentication) authorization

// Create a hard-coded network credential ArcGISNetworkCredential hardcodedCredential = new ArcGISNetworkCredential { Credentials = new System.Net.NetworkCredential(NetworkUsername, NetworkPassword, NetworkDomain), ServiceUri = new Uri(SecuredPortalUrl) }; // Add the credential to the AuthenticationManager and report that a non-default credential is being used AuthenticationManager.Current.AddCredential(hardcodedCredential);

0 Kudos
5 Replies
XuemingWu
by Esri Contributor
Esri Contributor
‎06-17-2019 04:08 PM

Hi Aaron,

Yes, you can use AuthenticationManager against a secured service no matter it is internal or external. The workflow is similar to the workflow of working with portals. If you only work with services that are secured through token-based, or HTTP such as IWA,  you only need the following two lines. When you access a secured service without passing in any credential, the AuthenticationManager will prompt you for credential. Once you enter correct credential, your secured services will be loaded. 

AuthenticationChallengeHandler handler = new DefaultAuthenticationChallengeHandler(activity.get());

AuthenticationManager.setAuthenticationChallengeHandler(handler);

If you want to access your secured services through OAuth, then you need to create an OAuthConfiguration and add it to the manager. More info about AuthenticationManager on Android can be found at this doc.

As for questions related to .Net SDK, could please post your questions in .Net channel where you can get your questions answered properly?

thanks,

Xueming

0 Kudos
by Anonymous User
Not applicable
‎06-18-2019 10:07 AM

Thanks Xueming. That does help clear it up.  How do I pass in the URL of the feature service without OAuthConfiguration?

So on the OAuthConfiguration the part that I do not quite grasp is how to add a client ID to ArcGIS Server and a redirect URI?  Is this even necessary?  In Portal I add in an application and a client id is generated and then I add in the redirect URI.  Do we do something similar on ArcGIS Server?    

for example on Portal I do this...

final OAuthConfiguration oAC = new OAuthConfiguration(urlLogin, Client_ID2, "my-arcgis-app://auth", OAUTH_EXPIRATION_NEVER);

I just tested doing this which returns null when asking the server...

final OAuthConfiguration oAC = AuthenticationManager.getOAuthConfiguration(fsURL);

0 Kudos
XuemingWu
by Esri Contributor
Esri Contributor
‎06-18-2019 05:36 PM

To access a service through OAuth, your server should be federated with a portal. Then constructing an OAuthConfiguration with the url of the portal, the client id and redirect uri you registered in the portal. You can ask your admin or check it by yourself. To check if a server is federated with a portal you can check the server info. e.g. browse to http://sampleserver3.arcgisonline.com/arcgis/rest/info, you will see something as 

{ "currentVersion": 10.1, "fullVersion": "10.1", "soapUrl": "http://server/arcgis/services", "secureSoapUrl": "https://server/arcgis/services", "owningSystemUrl": "https://www.arcgis.com", "authInfo" : { "isTokenBasedSecurity" : true, "tokenServicesUrl" : "https://server/arcgis/tokens", "shortLivedTokenValidity" :60 } }

The "owningSystemUrl" will indicate if your server is federated with a portal. The url is also the url you pass to create the OAuthConfiguration. If it empty then your server is standalone and you won't be able to access your service through OAuth. If you want to federate your server with your portal, go to this guide doc for more detail.

0 Kudos
by Anonymous User
Not applicable
‎06-19-2019 10:50 AM

Hi Xueming,

Yeah it looks like we are not federated currently as looking here... "owningSystemUrl is missing

I get this response...
{  "currentVersion": 10.61,  "fullVersion": "10.6.1",  "soapUrl": "https://www.etc/tokenauth/services",  "secureSoapUrl": null,  "authInfo": {   "isTokenBasedSecurity": true,   "tokenServicesUrl": "https://www.etc/tokenauth/tokens/",   "shortLivedTokenValidity": 60  } 
} 
So I guess the question is given that we do not support Windows Authentication (Token only) and the Server is not federated is AuthenticationManager totally not possible? OAuth is definitely out for sure.
I have a method that does work fine although I do view it as less secure than using the AuthenticationManager as I am handling credentials within the application.
UserCredentials mAgencyCredentials.setUserAccount(finalUsername, password);
final GeodatabaseFeatureServiceTable fsTable = new GeodatabaseFeatureServiceTable(url, mAgencyCredentials, layerID);
0 Kudos
XuemingWu
by Esri Contributor
Esri Contributor
‎06-20-2019 12:45 PM

Hi Aaron,

As you said, the way of handling credentials within your app as shown above is less secure. I recommend you to use AuthenticationManager with the DefaultAuthenticationChallengeHandler in your app. Your server is secured by token-based. The DefaultAuthenticationChallengeHandler works totally fine with token-based. After adding the following two lines to your app, AuthenticationManager will show a dialog asking for username and password when accessing a secured service. Once you enter correct credential, your secured service will be loaded.

By default the AuthenticationManager will prompt you five times before failing to load a layer or table if you keep inputing wrong credential. The AuthenticationManager also caches the credential. You won't be asked for credential when you access other secured services hosted on the same server. 

AuthenticationChallengeHandler handler = new DefaultAuthenticationChallengeHandler(activity.get());

AuthenticationManager.setAuthenticationChallengeHandler(handler);

0 Kudos