AnsweredAssumed Answered

Are REST endpoint secured with REST tokens and applications secured with OAuth?

Question asked by vandervoort on Apr 27, 2016
Latest reply on Apr 29, 2016 by vandervoort

I've wallowed though probably all of Esri's online documentation regarding security and I am still not clear on this.


What I want to do is use REST to do query a secure feature service. this all happens in node.js In order to do this in need to obtain a token by passing a username/password to the token dispenser, then append the token to the URL I am using to make my REST call. I know I can do this.


What we don't like about this is that is uses a named user - which has, um, unpleasant issues I've discussed elsewhere on this forum.


I'm still trying to wrap my head around OAuth. I see that I can register an app with OAuth, which gives me a client_id and client_secret. I use those to obtain an access_token, which I can use to... well... I'm not exactly sure what I can use it for.


I do know that I ca not use it to fire queries at the feature service REST endpoint.


If it were a perfect world I'd have my feature layer secured in a manner in which I can create a security to it using a client_id and client_secret. Or did I miss something...? Can I access a feature service with REST using a client_id and client_secret and if so, then how?


So, my question is that, in general, and in the world of ArcGIS Server and Portal, REST endpoint are secured with REST tokens and registered apps are secured with OAuth and can be accessed with an access_token obtained with the client_id and client_secret, correct?


Just checkin...