Bug
Generating a token using the OAuth2.0 endpoints with a valid Client ID and Client Secret returns a token, which is not valid to access services, which are owned by the same user who created the registered application. This occurs in a federated Portal for ArcGIS and ArcGIS GIS Server environment with a hosting server configured.
| Bug ID Number | BUG-000093367 |
|---|---|
| Submitted | January 7, 2016 |
| Last Modified | February 15, 2023 |
| Severity | Medium |
| Applies to | ArcGIS API for JavaScript |
| Version found | 3.14 |
| Operating System | Windows OS |
| Operating System Version | 7.0 64 Bit |
| Status | Will Not Be Addressed |
Additional Information
This is intended behavior, it is a limitation of app logins. Tokens obtained by applications can only read public content and services. Although an App login cannot be used with private content, if the goal is to distribute or sell an app to organizations without ArcGIS Online (no named users), the control access to the content may be controlled by using an login mechanism (Identity) to the app. https://developers.arcgis.com/documentation/core-concepts/security-and-authentication/limitations-of-application-authentication/Steps to Reproduce
Bug ID: BUG-000093367
Software:
- ArcGIS API for JavaScript
Get help from ArcGIS experts
Download the Esri Support App
Discover more on this topic
Search for related information
Find training related to this topic
Explore ideas and give feedback