Generating a token using the OAuth2.0 endpoints with a valid Client ID and Client Secret returns a token, which is not valid to access services, which are owned by the same user who created the registered application. This occurs in a federated Portal for ArcGIS and ArcGIS GIS Server environment with a hosting server configured.
Bug ID Number
January 7, 2016
February 15, 2023
Operating System Version
7.0 64 Bit
Will Not Be Addressed
The development team has considered the issue or request and concluded it will not be addressed. The issue's Additional Information section may contain further explanation.
This is intended behavior, it is a limitation of app logins.
Tokens obtained by applications can only read public content and services. Although an App login cannot be used with private content, if the goal is to distribute or sell an app to organizations without ArcGIS Online (no named users), the control access to the content may be controlled by using an login mechanism (Identity) to the app.