use existing token with javascript API

Discussion created by eliprandi on Feb 21, 2013
Latest reply on Feb 22, 2013 by eliprandi
We are using v3.1 at the moment. We are building a 3-tier app with an ASP.NET MVC 4 website in the middle. We are trying to secure our ArcGIS Server 10.1 REST endpoints. We turned on security on the server and verified that credentials are required and work properly.

Our users will be authenticated using the ASP.NET membership provider. We have verified that this works properly. Our goal is to authenticate our MVC app with the ArcGIS Server REST endpoints so that users only have to authenticate with the MVC app, not with the AGS. All AGS requests between MVC and the REST services will be authenticated using a single user. We have verified that the MVC is properly requesting its token(s) and successfully accessing data on the AGS using the provided token.

In order to display data from the AGS directly onto the client, like map data, without going through the MVC piece, we need to pass a token back to the client so it can be used to authorize its requests. We do not want to pass login/password info to the client.
We have been browsing around this forum all day and while we have found hints into what we should be doing, none of the solution seem to work (some are using older APIs, etc.).

We are under the impression that we should be using esri.IdentityManagerBase(), but the documentation on that subject is sub-par and we can't seem to understand how to take advantage of this. It seems that we need to "intercept" the request for a token from the client for the specified server and return our token information instead. How do we accomplish this?

Thanks in advance for any help or pointers,