renewing tokens: register-server-token-with-identity-manager

[dncpax]

Hi there. Writing here hoping it's useful.

Regarding web-js/register-server-token-with-identity-manager, it shows how to get and use tokens from arcgis server, unfederated to portal. This works fine BUT only for 60 minutes. After that, the tokens expire and do not get renewed. So not usable. You can get a long-lived token though and hope users close the browser or reload before it expires (e.g. 24h tokens). Of course having long lived tokens is a bit nonsensical, but it may be the only way...

[nhaney90]

Hi! First off I'm glad someone actually uses these samples! Don't worry, it's always useful when someone asks questions.

Secondly, yes, the token will not be renewed by IdentityManager because it was not created through IdentityManager. I can see why you would find this useless. However almost every example in this repo comes from an actual support case. A customer called me and asked specifically how to register an existing server token with IdentityManager. So while this sample may not be useful for you it was clearly useful for him.

These samples do not reflect best practices or Esri recommendations. Personally, I would never use this approach to token management.

How interactive maps are used varies from company to company and industry to industry. I left Esri a few years ago and work in government. 95% of my users stay on an interactive maps page for 20 minutes or less. Thus tokens timing out would not be a concern for me if I used this approach (but as stated earlier, I wouldn't use this). The only advantage you receive from registering a token with IdentityManager is you do not need to manually append tokens to all requests.

I hope this information helps, Nicholas

[dncpax]

Hi there. I don't think it's useless... just not usable as is. And I do appreciate the samples!! I agree to some extent that it's not the best approach, but there is a real issue with authentication while integrating esri maps into web apps. There is usually already an authentication framework used for web apps (in our case IWA), and adding maps with another auth scheme is just too complicated (getting server or portal to use IWA is another rabbit hole - you forego public services which is a nuke to many sites). I know there's the proxy approach but that really is not that good either. You just pour all requests through that bottleneck. So what to do? The tokens approach could be quite elegant IF they could be made sufficiently secure, which again is another rabbit hole. This could be all solved by esri implementing a best practice on securing tokens (transporting on the querystring is terrible and there are documented solutions for the rest of it). As for users patterns, in our case 20min is not at all enough. Many times apps are kept open through the day, along with lots of menus, forms, and maps. Anyway, at least we are never bored...

[nhaney90]

"Anyway, at least we are never bored..." ain't that the truth lol. You bring up the need to use IWA internally but still have the application available externally. In the old days I used to get around this by using a trick with two different web adapters for my ArcGIS Server. One Web Adapter would use IWA and the other would use anonymous authentication with anonymous users tied to a specific account in active directory. This was sort of a hack and not something I usually recommended for customers.

However Esri has a fairly elegant way of handling this now if you use Portal or ArcGIS Online. You can configure enterprise logins to be a mix of accounts built into ArcGIS Online or Portal and accounts coming from AD. Your external users can sign in using a built in account while your internal users can use enterprise logins. I'm not sure if this will solve your specific problem but it may be worth looking into:

https://doc.arcgis.com/en/arcgis-online/administer/enterprise-logins.htm

Have a great day!

[dncpax]

I was going the route of 2 web adaptors when I started looking at integrating Portal. Got to a point where a proof of concept was working fine, and then realized that federating server with portal requires licensing named users to existing web apps that edit server data... oops. I might have to go back and take another look at 2 wa's... thanks for your tips!

[mayteio]

Hey guys, so just to confirm there's no way to use IdentityManager.registerToken in a way that IdentityManager will refresh the token when necessary?

[dncpax]

Hi there. For some reason, registerToken only works with Portal tokens and does not automatically renew. I've put in on a setInterval so it runs every 50mins. For Server tokens I use the same as the sample, initializing esriId with a credential, also every 50mins.

[mayteio]

Yep, I basically take the expires value and figure out five minutes less from the time it was created. Regression!

On Fri, 7 Aug 2020 at 6:28 pm, dncpax [email protected] wrote:

Hi there. For some reason, registerToken only works with Portal tokens and does not automatically renew. I've put in on a setInterval so it runs every 50mins. For Server tokens I use the same as the sample, initializing esriId with a credential, also every 50mins.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Esri/developer-support/issues/341#issuecomment-670398992, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKPQDNBGCDQO6GY3WH4ALO3R7O3MLANCNFSM4JVHOLFA .