Chris,
We have a Sign-In widget in WAB app which loads at the startup covering the app viewport. This widget ask for AGOL credentials and authenticate with the AGOL account that is set in the WAB configuration.
_signIn: function(userName, password) {
if(!userName || !password) return;
var serverInfo = new ServerInfo();
serverInfo.server = this.appConfig.portalUrl;
serverInfo.tokenServiceUrl = this.appConfig.portalUrl + "/sharing/rest/generateToken";
var userInfo = {
username: userName,
password: password
}
var def = window.esri.id.generateToken(serverInfo, userInfo);
def.then( lang.hitch(this, this._signInComplete), lang.hitch(this, this._signInFailed));
}
The benefits of using this design is that the user, roles and groups can be easily managed on AGOL or AGS. And Sign-In UI can be styled as desired.
OAuth authentication can also be used but. We observed that OAuth authentication using IdentityManager does not provide much flexibility with the UI. Though IdentityManagerBase can be used to modify the style of the UI but it redirects to AGOL oauth, therefore the overlay effect is lost.
-Girish