I am not looking for a step-by-step (unless you are so inclined to write-it)... but rather a big-picture view of this setup.
We have three a web app (client) running on the browser that will be making requests against both a NodeJS-based REST service, and ArcGIS Server 10.3.1 (or whatever is newest). Because ArcGIS JS API and ArcGIS Server already have a great OAuth2-based authentication system in place, I want the NodeJS service to tie into that same OAuth setup controlled by ArcGIS Server such that if a user authenticates against ArcGIS Server, they can also access the content of the NodeJS service. If they are not authenticated against ArcGIS, then they cannot use the NodeJS service.
I am unclear if ArcGIS and Node need to share some back-end database table of token data, or if I can have the NodeJS service forward the token stuff it gets from the client to ArcGIS Server for checking?
Is it possible to have the client hit the NodeJS service first, and then get redirected to the ArcGIS login prompt if they are not logged in?
Thanks for any thoughts!