Network details for AGOL secured service authentication and authorization

AGOL-secured-service.md

Network details during a AGOL session for adding a "secured item" to Content

1. ArcGIS checks resource server URL to see if its secure

Request GET https://www.arcgis.com/sharing/rest/portals/checkurl

GET params:

{ 
   url: https://<resource-server-root-url>/rest/services/Hosted/cb_2017_us_state_500k/FeatureServer?f=json
   f: json
   token: W3ZksB2BMmt00w00qxCDRBgY7TfkfGjWshKnFepyLFMMpqdapAkmPGqg4-Ewymn4zf-5rhMTali3hsr_yWFRCuAhQp7avtdfwENhMwL3bQ8U4wuf3gSK-2qLeH9ixIj2
}

Response 200

{  
  "success":false,  
  "error": {  
    "message":"Http StatusCode: -1, Error checking resource:-       https://<resource-server-root-url>/rest/services/Hosted/cb_2017_us_state_500k/FeatureServer?f=json"  
  }  
}

2. Check's resource server's rest/info`

Request GET https://<resource-server-root-url/gis/rest/info?f=json

Response 200

{
  "currentVersion": 10.61,
  "fullVersion": "10.6.1",
  "soapUrl": "https://<resource-server-root-url>/services",
  "secureSoapUrl": null,
  "owningSystemUrl": "https://<portal-auth-server-domain>/<web-adaptor>", //https://portalhostds.ags.esri.com/gis
  "authInfo": {
    "isTokenBasedSecurity": true,
    "tokenServicesUrl": "https://<portal-auth-server-domain>/<web-adaptor>/sharing/rest/generateToken"
  }
}

3. Check resource server's FeatureServer info service

Request GET https://<resource-server-root-url>/rest/services/Hosted/cb_2017_us_state_500k/FeatureServer?f=json

Response 200

{
  "error": {
    "code": 499,
    "message": "Token Required",
    "details": []
  }
}

Credential inputs appear -> on credential addition

1. Authorization Request to auth server by browser; POST to the tokenServicesUrl delivered in the rest/info response above

Request POST https://<auth-server>.ags.esri.com/gis/sharing/generateToken

POST body params

{
  request: "getToken",
  username: "username",
  password: "password",
  expiration: 60
  referer: "www.arcgis.com"
  f: "json"
}

Response 200

{
  "token":"elS39KU4bMmZQgMXDuswgA14vavIp4mfpiqcWSr0qM6q4dFguTnnHddWqbpK5Mc3HsCN8XghlwawUUYApOOcxKNyg_9WqTofChJXxxD058_rL1HZkM5PDhUOh9YYQn1K"
  "expires":1524508236322,
  "ssl":false
}

2. Grant request to authorization server using auth token from last request. Note that URL is same as previous request but with different query params. Responds with access token

Request GET https://<auth-server>.ags.esri.com/gis/sharing/generateToken

GET params:

{
  request: getToken
  serverUrl: https://serverhostds.ags.esri.com/gis/rest/services/Hosted/cb_2017_us_state_500k/FeatureServer
  token: elS39KU4bMmZQgMXDuswgA14vavIp4mfpiqcWSr0qM6q4dFguTnnHddWqbpK5Mc3HsCN8XghlwawUUYApOOcxKNyg_9WqTofChJXxxD058_rL1HZkM5PDhUOh9YYQn1K
  referer: www.arcgis.com
  f: json
}

Response 200

{
  "token":"gI-rq-0UfaRC9Th3keGh-ndEk60wqHhTCOp5yI_-4_ZCpX3Oo7P2-9L2trtYeX5LsZEY4mvkvnh79Af_gBwPw3R56SKVBKU-vcKkXqXJONnVmon0LN1u-vZkgPq5sccd",
  "expires":1524508236322,
  "ssl":false
  }

3. Request to resource server's FeatureServer service, with access token from above .

Request GET https://<resource-server>.ags.esri.com/gis/rest/services/Hosted/cb_2017_us_state_500k/FeatureServer

GET params:

{
  f: json
  token: gI-rq-0UfaRC9Th3keGh-ndEk60wqHhTCOp5yI_-4_ZCpX3Oo7P2-9L2trtYeX5LsZEY4mvkvnh79Af_gBwPw3R56SKVBKU-vcKkXqXJONnVmon0LN1u-vZkgPq5sccd
}

Response 200 Typical Service info JSON response

On dialog 'add item" button click

Repeat of FeatureServer and and access token requests/responses from last section, followed by typical FeatureServier/:id and FeatureServier/:id/query requests, all with an addition of the access token, token, parameter to the request. NOTE - no requests used the Authorization header for transporting a Bearer prefixed token. All tokens sent as GET params.