Hi - In spending the last few months working on securing my operational map services for a variety of use cases, I notice that when I do not wish to bypass the Identity Manager in 3.x / 4.x apps (i.e having the user enter username password into the default form) to generate the necessary tokens, the network traffic shows a token request being sent out like every 15ms. Worse, the user name password is contained in the response.
It's easy enough to set up urlUtils with a proxy rule where I can set an accessToken in my proxy.config, or pass in params using the esriId.registerToken method directly in my map.js, but both of those methods then seem to bypass the Identity Manager form. In certain use cases I wouldn't want to do that.
Do I need to access the form entries and store them as part of a Credential object in a json string? Then maybe set that string variable on the credential property of the feature layer?