I'm having some pesky problems implementing some authentication for my JS App (which is hosted on an internal web server). I thought that I could follow the Application login workflow (create application in Portal, use OAuthInfo class with appId to authenticate user to my Portal and gain access to my app) to allow only specific users to access my application as long as I set the security (through Portal) of my Web Mapping Application item to one of my Portal security groups. Turns out it doesn't matter if the Web Mapping Application is shared with everyone or no one - if my JS web app has the appId, any user can login to my application.
So the only way (seemingly) to allow only some users access to my application is to restrict the _layers_ in my app to specific groups and use the IdentityManager class to challenge a user, etc. etc. I like how the API handles much of this workflow without much extra coding - if my app tries to add a restricted layer to the map (map.addLayers([restrictedLayer1, layer2]), the user is prompted to sign in. However, sometimes those restricted layers are not added until after a bunch of other stuff happens (dom parsing, widget instantiation, etc etc).
I would like to make sure the user has access to those secured layers before anything else happens, especially before my app gets to the point where it is trying to add those secured layers to the map. I don't know how to do this. What classes and methods should I use to challenge a user and determine if that user has access to a specific restricted layer? I tried using IdentityManager getCredential method, where the URL is my restricted layer endpoint, but that didn't work. Any suggestions?