Bug
API key scoped to a hosted feature service with allowAnonymousToQuery set to false yields no results when queried, while short lived OAuth2 token does.
| Bug ID Number | BUG-000169836 |
|---|---|
| Submitted | August 8, 2024 |
| Last Modified | November 6, 2024 |
| Applies to | ArcGIS Online |
| Version found | June 2024 |
| Operating System | Windows OS |
| Operating System Version | 11.0 64 bit |
| Status | As Designed |
Additional Information
The current implementation of the API Authentication token is functioning as intended. This design choice has important implications for user privacy and system security. Token Content: The API Authentication token is designed to contain only the information necessary for accessing specific items or resources. It does not include user login information typically found in OAuth tokens. Anonymous Access: Due to the absence of user-specific information, requests made with these tokens are treated as coming from an anonymous account. Security Implications: The token's limited scope reduces potential security risks associated with token interception or misuse. Intended Functionality: This behavior is not a bug or oversight, but a deliberate design choice to balance functionality, privacy, and security.Workaround
Access tokens have different privileges depending on the method used to obtain them: Tokens from API key authentication and App authentication have their privileges managed by the developer credentials used to obtain them. Tokens from user authentication have their privileges determined by the ArcGIS account of the signed-in user.Steps to Reproduce
Bug ID: BUG-000169836
Software:
- ArcGIS Online
Get notified when the status of a bug changes
Discover more on this topic
Search for related information
Find training related to this topic
Explore ideas and give feedback
Get help from ArcGIS experts
Download the Esri Support App