Bug Number BUG-000119198
Submitted Jan 08, 2019
Modified Jun 11, 2020
Severity High
Applies To ArcGIS Online
Version Found 6.4
Prog Language N/A
Server Platform Windows 10.0 64 Bit
Client Platform Windows 10.0 64 Bit
Database N/A
Locale N/A
Status Implemented
Version Fixed 7.1
SP Fixed N/A

Bug BUG-000119198


The OAuth (Open Authorization)/authorize endpoint from ArcGIS Online does not issue a cookie for items when using app registration, causing users to sign in multiple times.

Additional Information

The OAUTH/authorize endpoint from ArcGIS Online does not issue a cookie for items using app registration. Hub Site Applications (the intended primary user experience for Hub users) makes heavy use of app registration to support custom domains. Without the cookie, users have to sign in multiple times which makes the system difficult to use. This means that if a user goes to the custom domain for a private hub site they are prompted to log in. When they log in, if any private apps are embedded in the hub site, they are not displayed because the authentication the user just completed cannot be passed to the web app. This also means when the user clicks on Explore in an app gallery, it prompts the user for sign in prior to the user being able to see the app even though they just signed in. Users are expecting that community users (a member of the user's separate communityorg.maps.arcgis.com ) only ever signs in/up & interact with the Hub Site Application or other WebGIS apps associated with a project/initiative. It is not expected for many community users to use the home application (unless that community user is already familiar with GIS - which is an important population but not the target of the Hub product).

Alternate Solution

The following workaround steps allow the Gallery card to appear after logging in only once. However, the following steps do not work for the Iframe card.

  1. Navigate to the redirect URL: https://www.arcgis.com/home/signin.html?returnUrl=https://case02241554-ess.hub.arcgis.com/.
  2. Input username and password.
  3. The Gallery card which is on the right and titled, “case02241554_webapp.” Select the Explore button. It appears without requiring an additional log in.

This technology solves the issue but did not offer a user experience where citizens can come in from Google search results, a news article, a tweet, etc. It also means that if the user logs in any way other than through the redirect URL, the iframes in the page would not function and they have to log in multiple times. As a custom domain has been set up to direct donors, this workaround does not allow users to use their custom domain and is difficult to ensure use.