AnsweredAssumed Answered

Security model approaches

Question asked by jamesfreddyc on Jan 29, 2019
Latest reply on Feb 15, 2019 by jamesfreddyc

I'm attempting to solve a design problem with one of our ESRI JavaScript (WAB) applications.


Scenario: Web application "A" (non-ESRI) is a business system that opens web application "B" (an ESRI JavaScript app) that is publicly accessible but contains a secured feature service for editing.  Users are authenticated into Web app "A" and we do not want additional challenge for credentials when application "B" is launched from a button within application "A".


So far the most logical design I've come up with is:


1. Have application "A" request a token from the AGS site that the secured feature service is published to using a service account we have designated.

2. When the user opens application "B", application "A" will include that token as a url parameter and I have some JavaScript in application "B" that can grab the token and then append it to any requests against that secured feature service.


While this will eliminate any second challenge for credentials, having the token in the url is not all that desired from our security team.


Any ideas on alternatives?