using arcgis with oauth 2.0 - esri devsummit dubai 2013
TRANSCRIPT
![Page 1: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/1.jpg)
Using ArcGIS withOAuth 2.0
Aaron Parecki @aaronpkCTO, Esri R&D Center Portland
![Page 2: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/2.jpg)
Before OAuth
• Apps stored the user’s password
• Apps got complete access to a user’s account
• Users couldn’t revoke access to an app except by changing their password
• Compromised apps exposed the user’s password
An Introduction to OAuth 2
![Page 3: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/3.jpg)
An Introduction to OAuth 2
Before OAuth
• Services recognized the problems with password authentication
• Many services implemented things similar to OAuth 1.0- Flickr: “FlickrAuth” frobs and tokens- Google: “AuthSub”- Facebook: requests signed with MD5 hashes- Yahoo: BBAuth (“Browser-Based Auth”)
![Page 4: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/4.jpg)
The OAuth 2.0 Spechttp://oauth.net/2/
![Page 5: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/5.jpg)
An Introduction to OAuth 2
Definitions
• Resource Owner: The User
• Resource Server: The API
• Authorization Server: Often the same as the API server
• Client: The Third-Party Application
![Page 6: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/6.jpg)
An Introduction to OAuth 2
Use Cases
• Web-server apps
• Browser-based apps
• Username/password access
• Application access
• Mobile apps
![Page 7: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/7.jpg)
An Introduction to OAuth 2
• Web-server apps – authorization_code• Browser-based apps – implicit • Username/password access – password • Application access – client_credentials• Mobile apps – implicit
Use Cases – Grant Types
![Page 8: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/8.jpg)
Web Server AppsAuthorization Code Grant
![Page 9: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/9.jpg)
An Introduction to OAuth 2
Create a “Log In” link
Link to:
https://www.arcgis.com/sharing/oauth2/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI
Drag picture to placeholder or click icon to add
![Page 10: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/10.jpg)
An Introduction to OAuth 2
Create a “Log In” link
Drag picture to placeholder or click icon to addLink to:
https://www.arcgis.com/sharing/oauth2/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI
![Page 11: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/11.jpg)
An Introduction to OAuth 2
Create a “Log In” link
Drag picture to placeholder or click icon to addLink to:
https://www.arcgis.com/sharing/oauth2/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI
![Page 12: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/12.jpg)
An Introduction to OAuth 2
Create a “Log In” link
Drag picture to placeholder or click icon to addLink to:
https://www.arcgis.com/sharing/oauth2/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI
![Page 13: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/13.jpg)
An Introduction to OAuth 2
User visits the authorization pagehttps://www.arcgis.com/sharing/oauth2/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI
![Page 14: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/14.jpg)
An Introduction to OAuth 2
On success, user is redirected back to your site with auth code
https://example.com/auth?code=AUTH_CODE_HERE
On error, user is redirected back to your site with error code
https://example.com/auth?error=access_denied
Drag picture to placeholder or click icon to add
![Page 15: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/15.jpg)
An Introduction to OAuth 2
Server exchanges auth code for an access token
Your server makes the following request
POST https://www.arcgis.com/sharing/oauth2/token
Post Body: grant_type=authorization_code&code=CODE_FROM_QUERY_STRING&redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET
Drag picture to placeholder or click icon to add
![Page 16: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/16.jpg)
An Introduction to OAuth 2
Server exchanges auth code for an access token
Your server gets a response like the following
{ "access_token":"RsT5O30zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qok2RRua48lXI”, "username":"aaronpk"}
or if there was an error
{ "error":"invalid_request"}
Drag picture to placeholder or click icon to add
![Page 17: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/17.jpg)
Browser-Based AppsImplicit Grant
![Page 18: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/18.jpg)
An Introduction to OAuth 2
Create a “Log In” link
Link to:
https://www.arcgis.com/sharing/ oauth2/authorize?response_type=token&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI
Drag picture to placeholder or click icon to add
![Page 19: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/19.jpg)
An Introduction to OAuth 2
User visits the authorization pagehttps://www.arcgis.com/sharing/oauth2/authorize?response_type=token&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI
![Page 20: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/20.jpg)
An Introduction to OAuth 2
On success, user is redirected back to your site with the access token in the fragmenthttps://example.com/auth#token=ACCESS_TOKEN
On error, user is redirected back to your site with error code
https://example.com/auth#error=access_denied
Drag picture to placeholder or click icon to add
![Page 21: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/21.jpg)
An Introduction to OAuth 2
Browser-Based Apps
• Use the “Implicit” grant type• No server-side code needed• Client secret not used• Browser makes API requests directly
Drag picture to placeholder or click icon to add
![Page 22: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/22.jpg)
Application AccessClient Credentials Grant
![Page 23: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/23.jpg)
An Introduction to OAuth 2
Client Credentials Grant
POST https://www.arcgis.com/sharing/oauth2/token
Post Body: grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET
Response:{ "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600}
Drag picture to placeholder or click icon to add
![Page 24: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/24.jpg)
An Introduction to OAuth 2
Grant Type Summary
• authorization_code: Web-server apps
• implicit: Mobile and browser-based apps
• password: Username/password access
• client_credentials: Application access
![Page 25: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/25.jpg)
Authorization Code
• User visits auth pageresponse_type=code
• User is redirected to your site with auth code http://example.com/?code=xxxxxxx
• Your server exchanges auth code for access tokenPOST /token
code=xxxxxxx&grant_type=authorization_code
![Page 26: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/26.jpg)
Implicit
• User visits auth pageresponse_type=token
• User is redirected to your site with access token http://example.com/#token=xxxxxxx
• Token is only available to the browser since it’s in the fragment
![Page 27: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/27.jpg)
Client Credentials
• Your server exchanges client ID/secret for access tokenPOST /token
client_id=xxxxxxx&client_secret=yyyyyyy&grant_type=client_credentials
![Page 28: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/28.jpg)
An Introduction to OAuth 2
Creating an App
![Page 29: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/29.jpg)
An Introduction to OAuth 2
developers.arcgis.com
![Page 30: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/30.jpg)
An Introduction to OAuth 2
Create an Application
![Page 31: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/31.jpg)
An Introduction to OAuth 2
Get your app’s client_id
![Page 32: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/32.jpg)
An Introduction to OAuth 2
Set the redirect_uri
![Page 33: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/33.jpg)
Create a Sign-In Button
![Page 34: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/34.jpg)
Launch Safari to the ArcGIS Online Authorization Endpoint
github.com/Esri/OAuth2-Demo-iOS
![Page 35: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/35.jpg)
The User Signs In
![Page 36: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/36.jpg)
Redirect back to your app
oauthdemo://auth#access_token=BAAEEmo2nocQBAFFOeRTd…
ArcGIS Online redirects back to your app using a custom URI scheme.
Access token is included in the redirect, just like browser-based apps.
![Page 37: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/37.jpg)
Parse the token from the URL
github.com/Esri/OAuth2-Demo-iOS
![Page 38: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/38.jpg)
The User is Signed In!
![Page 39: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/39.jpg)
Mobile Apps
• Use the “Implicit” grant type• No server-side code needed• Client secret not used• Mobile app makes API requests directly
Drag picture to placeholder or click icon to add
![Page 40: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/40.jpg)
Accessing ResourcesSo you have an access token. Now what?
![Page 41: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/41.jpg)
An Introduction to OAuth 2
Use the access token to make requests
Now you can make requests using the access token.GET http://www.arcgis.com/sharing/rest/portals/self
?token=RsT5OjbzRn430zqMLgV3Ia
Drag picture to placeholder or click icon to add
![Page 42: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/42.jpg)
An Introduction to OAuth 2
Eventually the access token may expire
When you make a request with an expired token, you will get this response{ "error":"expired_token"}
Now you need to get a new access token!
Drag picture to placeholder or click icon to add
![Page 43: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/43.jpg)
An Introduction to OAuth 2
Get a new access token using a refresh token
Your server makes the following request
POST https://www.arcgis.com/sharing/oauth2/token
grant_type=refresh_token&reresh_token=e1qoXg7Ik2RRua48lXIV&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET
Your server gets a similar response as the original call to oauth/token with new tokens.
{ "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "username":"aaronpk" }
Drag picture to placeholder or click icon to add
![Page 44: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/44.jpg)
An Introduction to OAuth 2
developers.arcgis.com/en/authentication/
![Page 45: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/45.jpg)
An Introduction to OAuth 2
oauth.net/2
![Page 46: Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013](https://reader035.vdocuments.us/reader035/viewer/2022062418/554a27e3b4c9051b578b4abd/html5/thumbnails/46.jpg)
Links
github.com/Esri/OAuth2-Demo-iOS
developers.arcgis.com