BUG-000138488 for ArcGIS Runtime SDK

漏洞 ID 编号	BUG-000138488
已提交	March 25, 2021
上次修改时间	June 5, 2024
适用范围	ArcGIS Runtime SDK
找到的版本	100.10
操作系统	Windows OS
操作系统版本	10.0 64 Bit
状态	Non-Reproducible

附加信息

This issue is caused by an incorrect OAuth workflow configuration in the client application code, where two separate workflows have been combined: one intended for authenticating specific users and one intended for authenticating applications.

解决办法

User-based authentication

To support user-based authentication with OAuth, the recommended approach is OAuth Authorization Code. In this case the TokenAuthenticationType must be set to OAuthAuthorizationCode. Refer to ArcGIS Developers: ArcGIS Identity for more information.

Example:

var serverInfo = new ServerInfo(new Uri("https://www.arcgis.com/sharing/rest"))

{

TokenAuthenticationType = TokenAuthenticationType.OAuthAuthorizationCode,

OAuthClientInfo = new OAuthClientInfo("...", null)

};

Application-based authentication

To support application-based authentication with OAuth, it is necessary to use the Client Credential approach with a client ID and client secret. In this case the TokenAuthenticationType must be set to OAuthClientCredentials. Refer to ArcGIS Developers: Application credentials for more information.

Example:

var serverInfo = new ServerInfo(new Uri("https://www.arcgis.com/sharing/rest"))

{

TokenAuthenticationType = TokenAuthenticationType.OAuthClientCredentials,

OAuthClientInfo = new OAuthClientInfo("...", null, "...")

};

Notes:

It is not necessary to issue separate REST requests for tokens, instead the ArcGIS Runtime API supports this process automatically via the AuthenticationManager.
If a manual refresh of the token is required, application code should call OAuthTokenCredential.RefreshAsync().
Various properties of the credential can be accessed via API properties on OAuthTokenCredential, such as UserName