Authentication token is not being appended to urls

6436
8
08-20-2015 08:52 AM
JonMorris2
Occasional Contributor II

I'm using javascript api to access some secure map and GP services, but am having a lot of problems with tokens.

Using IdentityManager to generate tokens is working fine, and I can store them off in a cookie or local storage (as in this sample). However, when I try and load a map service, the console shows Error: Token Required and I get a credential popup over the map.

I'm trying to avoid this and have a single sign-on to the site (the user has already signed in on a previous page, so should be able to load services without entering more credentials).

Authenticating a second time in the browser might be ok, but I'm then running some GP services and calls to getResultData fail with the same error.

In both cases, the call stack leads deep into init.js, so attempting to append a token onto the request is not going to work. What am I doing wrong here? If I've authenticated with IdentityManager, shouldn't all subsequent calls have a token attached?

0 Kudos
8 Replies
JonMorris2
Occasional Contributor II

So, I couldn't get IdentityManager to work, but I did update the proxy to get a token from the cookie if none is given. The code can be found here.

GetResultData works now, but when you pass this result as an input into a second GP Service, it still fails before starting. The inputs are valid, but it just returns esriJobFailed - the log doesn't even get as far as "Executing [args], Start Time, etc."

I've run the same services successfully on an unsecured server, so maybe it just doesn't work on a secure server.

0 Kudos
BjornSvensson
Esri Regular Contributor

> If I've authenticated with IdentityManager, shouldn't all subsequent calls have a token attached?

No, the IdentityManager will only use tokens when it thinks it is needed. That's not the same as "all subsequent calls".

JonMorris2
Occasional Contributor II

Bjorn Svensson:

IdentityManager will only use tokens when it thinks it is needed.

Yes, I think that's the problem. IdentityManager is getting it wrong and not appending a token when it should be.

0 Kudos
AndrewMurdoch
Occasional Contributor

Bjorn,

I think I'm seeing similar behavior (Feature Layers are not called with Tokens) with ArcGIS Online.  I DO have an IdentityManager populated with a user token value.

It appears that ArcGIS Online does not check the IdentityManager object before attempting to load Feature Layers without a token (at least for HTTP).  Can you confirm this?

The initial request for a layer looks something like this (the actual layers are accessed via HTTP on an organizational ArcGIS Online account):

     http://servicesX.arcgis.com/ORGANIZATION_CODE/arcgis/rest/services/FEATURESERVICE_NAME/FeatureServer/LAYER_ID_NUMBER?f=json

This request "fails" with this response:
     {"error":{"code":499,"message":"Token Required","messageCode":"GWM_0003","details":["Token Required"]}}

Moments later (immediately it seems) the same request is re-issued with the appropriate token (drawn from the IdentityManager object previously created):

     http://servicesX.arcgis.com/ORGANIZATION_CODE/arcgis/rest/services/FEATURESERVICE_NAME/FeatureServer/LAYER_ID_NUMBER?f=json&token=TOKEN

The second request with the TOKEN value succeeds and the only notice that the first request "failed" is in the console log (seen in Chrome Dev Tools).  The console log looks like this (one Error per Feature Layer load attempt):

Error: Token Required(…)x @ init.js:182(anonymous function) @ init.js:181c @ init.js:66d @ init.js:66resolve.callback @ init.js:67c @ init.js:66d @ init.js:66resolve.callback @ init.js:67c @ init.js:66d @ init.js:66resolve.callback @ init.js:67c @ init.js:66d @ init.js:66resolve.callback @ init.js:67(anonymous function) @ init.js:185k @ init.js:189m @ init.js:189resolve @ init.js:191a @ init.js:190k @ init.js:190m @ init.js:189resolve @ init.js:191a @ init.js:190k @ init.js:190m @ init.js:189resolve @ init.js:191a @ init.js:190k @ init.js:190m @ init.js:189resolve @ init.js:191q @ init.js:150f @ init.js:154

init.js:182 Error: Token Required(…)x @ init.js:182(anonymous function) @ init.js:181c @ init.js:66d @ init.js:66resolve.callback @ init.js:67c @ init.js:66d @ init.js:66resolve.callback @ init.js:67c @ init.js:66d @ init.js:66resolve.callback @ init.js:67c @ init.js:66d @ init.js:66resolve.callback @ init.js:67(anonymous function) @ init.js:185k @ init.js:189m @ init.js:189resolve @ init.js:191a @ init.js:190k @ init.js:190m @ init.js:189resolve @ init.js:191a @ init.js:190k @ init.js:190m @ init.js:189resolve @ init.js:191a @ init.js:190k @ init.js:190m @ init.js:189resolve @ init.js:191q @ init.js:150f @ init.js:154

It appears that ArcGIS Online does not check the IdentityManager object before attempting to load Feature Layers without a token (at least for HTTP).  Can you confirm this?

Thanks,

Andrew

0 Kudos
BjornSvensson
Esri Regular Contributor

> so attempting to append a token onto the request is not going to work

Did you try this?  If you append a token to a URL (whether a layer or a task like GP), that should work fine.

0 Kudos
JonMorris2
Occasional Contributor II

Bjorn Svensson:

> so attempting to append a token onto the request is not going to work

Did you try this?  If you append a token to a URL (whether a layer or a task like GP), that should work fine.

Sorry, what I meant was attempting it in javascript. Changing the code on my site isn't going to help when the call is coming from somewhere in the Esri js code.

What I did was alter the proxy code to append the token (as you've seen in my pull request). This appears to work - I can access my map and GP services - but even after retrieving the result data, passing it into a second service fails.

0 Kudos
BjornSvensson
Esri Regular Contributor

I think maybe you misunderstood my suggestion.

In your JSAPI application, you can append the token to the MapService URL, and the JSAPI will send it along:

"http://sampleserver6.arcgisonline.com/arcgis/rest/services/USA_secure_user1/MapServer?token=?" + token);

0 Kudos
JonMorris2
Occasional Contributor II

The GP service is more of a problem for us than the map service. Do we do the same thing with the GP service URL?

var gp = new Geoprocessor("http://sampleserver1.arcgisonline.com/ArcGIS/rest/services/Specialty/ESRI_Currents_World/GPServer/Me..." + token);

The error that occurs is in the JSAPI code that runs after you call gp.SubmitJob and gp.GetResultData.

0 Kudos