AppLogin for secure data (Android Runtime SDK)

БелыйАлександр · ‎08-05-2020

Hello!
I need your help. I want to access protected arcgis data online (such as layers and squares) using an applogin and Android Runtime SDK approach (not showing an authorization window for the user), because the user has already been authorized in my application. It was mentioned here (https://community.esri.com/ideas/10944) that you can enable it.

Please tell me if there are now options for solving my problem?

If there is, please help

Nicholas-Furness · ‎08-05-2020

I've implemented a way to get a token using AppLogin for iOS in Swift. Other customers have had success translating this approach to Android. Hopefully it will help: App ID (swift codable) · GitHub

NOTE: It is currently against our terms and conditions to use App Login to access private data services. App Login is intended to allow access to our value add services such as routing, analysis, etc.. But we realize that there are some valid use cases where private data access via App Login is desirable and we're assessing this condition.

In the meantime, you could consider creating ArcGIS Online layers with embedded credentials. See this document: ArcGIS Server web services—ArcGIS Online Help | Documentation

In short, for each private layer you create a new ArcGIS Online item that combines the service URL for the layer with embedded credentials. You can then go to the item settings for the new item and limit access by specifying referer URLs. Then share the item publicly and ensure your app uses the correct referer URL.

Here I've created a version of the traffic layer with embedded credentials:

Then I went into the new item's settings, shared it publicly, and limited access by referer:

Lastly in my app, I set the "Referer" for requests on that layer to match the text above. You do this by settings a RequestConfiguration and calling setHeaders(). You could modify the global RequestConfiguration if you prefer, but in this case I wanted to be more explicit. Here's how I do this in Swift with the ArcGIS Runtime SDK for iOS. It should work the same for Android:

let layer = AGSArcGISMapImageLayer(item: AGSPortalItem(portal: .arcGISOnline(withLoginRequired: false),
                                                               itemID: "<ITEM ID TO MY NEW ITEM WITH STORED CREDENTIALS>"))
if let rc = AGSRequestConfiguration.global().copy() as? AGSRequestConfiguration {
  rc.userHeaders = ["Referer": "myCustomApp://iCanUseStoredCredentials"]
  layer.requestConfiguration = rc
}‍‍‍‍‍‍

You would choose a Referer string of your own that's kept secret. And you should decide for yourself if this provides enough security for your data. If that referer string and the item ID/URL leak, then anyone with that info could access the service.

Anonymous User · ‎08-07-2020

This may not help this situation, but with internal ArcGIS Portal you would use the same credentials to login as you would use for federated services. I have an Android application I wrote that does this exact thing with internal portal and relevant federated services. This alleviates the issue of having to have users enter in credentials multiple times.

БелыйАлександр · ‎08-10-2020

Hello!!
Сould you please share your solution?

БелыйАлександр · ‎08-10-2020

Hi, thanks for the answer!
Please tell me, what about direct access to arcgis online (not to the service), I need it to download areas (in this case, I provide the link to the portal and id maps - https://developers.arcgis.com/android/latest/guide/take-map-offline-preplanned.htm). Can I access the areas using AppLogin?

Nicholas-Furness · ‎08-10-2020

Hi.

In general, yes, you can use App Login to work directly with ArcGIS Online. However, when you are dealing with sharing between groups and organizations, you may encounter limitations (think of App Login as designed for targeted direct access, without a particular user identity behind it).

Unfortunately there is currently a limitation in ArcGIS Online which prevents the preplanned offline workflow working with App Login. We're investigating and I'm hoping that we can get this resolved with the next update to ArcGIS Online.