Arcade function to get logged user token

Hi,

have you get workaround to get token in the popup ?

Thanks for your back

Rémy

We want the token so that we can build links to attachments outside the current feature service that are related by common attributes.  To build a working link to an attachment within or external to your portal you need to build the URL to the REST end point and provide a valid token as a URL parameter.  I'd much rather get the token from the signed-in user.  I strongly dislike our workaround because of the added overhead it creates, particularly at scale; not to mention the security implications of persisting a token as an attribute in a table that must be shared to any group that needs it.

Our workaround for this at the moment is to store a token in a table and use featureSetByID to lookup the token.

I have a table service with a single table in it.  The table has 3 fields: token, expire_date, generated_date.  We use python to hit the Rest API to generate the token with a built-in user that has only viewer permissions (the least permissioned user needed).  The token expires every 25 hours or so and we replace (Truncate + Append) it every 24 hours using the ArcGIS Python API and a scheduled task. We could replace the token on a tighter tight frame... it is a hassle either way, but it does work for our purposes.

It is probably not an approach that you would use to authenticate a user in anyway.

Has this been resolved - can Arcade get authentication token in order to display attachments from a related table? Or use the authentication that the current web map is using?

Thought I would bump this to see if anyone found the answer as I would also like to ---

Want to configure arcgis popup to show hyperlink with my custom webservice and provide logged user token as parameter. Token will be used for authorization in my custom service.

I asked an ESRI Field Maps Dev at the ESRI UC2023.  The idea was a hard no, they would not be doing that for security reasons.  The proposed solution was instead of providing the token directly they would perhaps manage that behind the scenes with the Attachment functions. They would see that you are trying to display the attachment and handle the token on the users behalf (similar to how it works for attachments of a feature you are currently viewing in a popup).

@JustinReynolds 

Justin, Thank you for the reply. This really makes no sense, since you need the Token to utilize a Rest API.  My current answer is a simple webhook that does a get token and then does the update.  This results in another "system" / Amazon Lambda and by extension a larger cyber exposure.  

I would think that allowing the current user to retrieve a valid token would make more sense or just a way to get the session token that is already active if that is the case. 

I agree we definitely need some way to do this. At the very least, it should be able to recognize whether the logged in user has permission to view said attachment. My case is even more frustrating that it doesn't work. I've got a feature service that handles a yearly hydrant flushing program. For the current year's flushing, I want to display the photo of what they did at that heart last year. In the web map viewer, it works no problem. In Field Maps, it won't display, even though it's the same feature service.