Select to view content in your preferred language

Authentication in Mobile or Wpf App directly with a refresh token

541
2
Jump to solution
11-10-2022 01:02 AM
SquarecodeDeveloper
Emerging Contributor

I am working off this example code to build my app
https://github.com/Esri/arcgis-runtime-samples-dotnet/blob/main/src/WPF/ArcGISRuntime.WPF.Viewer/Sam...
https://github.com/Esri/arcgis-runtime-samples-dotnet/blob/main/src/WPF/ArcGISRuntime.WPF.Viewer/Hel...

This code pops up an arcgis online login screen to authenticate the user. Instead I want to supply it with a RefreshToken that I got elsewhere (specifically I have a web site which also authenticates to Arcgis online's OAuth login system. My app is paired with the website using my own mechanism to link the two and share data between them. My goal is to not require the user to keep logging into Arcgis whenever they view a map (which this example seems to do) and minimise the number of logins full stop.

This answer seem to describe a scheme that would work in the Javascript library, but I cannot find the registerToken method in C#
https://community.esri.com/t5/arcgis-api-for-javascript-questions/how-to-authenticate-using-only-a-t...

0 Kudos
1 Solution

Accepted Solutions
MichaelBranscomb
Esri Frequent Contributor

I've asked our internal security guild for some guidance, but my initial concern with this approach would be that it may go against the OAuth 2 spec, perhaps conflicting here: OAuth 2.0 Security Best Current Practice (ietf.org) ? 

View solution in original post

2 Replies
SquarecodeDeveloper
Emerging Contributor

A bit of looking through examples and reading the docs implies that

OAuthTokenCredential oauth2Token = new OAuthTokenCredential(new Uri(url), access_token);
AuthenticationManager.Current.AddCredential(oauth2Token);


Would prevent the OAuth2 windows from popping up in the above case if I had a valid access_token for it. Is this correct?

0 Kudos
MichaelBranscomb
Esri Frequent Contributor

I've asked our internal security guild for some guidance, but my initial concern with this approach would be that it may go against the OAuth 2 spec, perhaps conflicting here: OAuth 2.0 Security Best Current Practice (ietf.org) ?