laptop and a wrench

漏洞

The OAuth (Open Authorization)/authorize endpoint from ArcGIS Online does not issue a cookie for items when using app registration, causing users to sign in multiple times.

上次发布: March 15, 2019 ArcGIS Online
漏洞 ID 编号 BUG-000119198
已提交January 8, 2019
上次修改时间January 9, 2021
适用范围ArcGIS Online
找到的版本N/A
服务器平台Windows
客户端平台10.0 64 Bit
Version Fixed7.1
状态Fixed

附加信息

The OAUTH/authorize endpoint from ArcGIS Online does not issue a cookie for items using app registration. Hub Site Applications (the intended primary user experience for Hub users) makes heavy use of app registration to support custom domains. Without the cookie, users have to sign in multiple times which makes the system difficult to use. This means that if a user goes to the custom domain for a private hub site they are prompted to log in. When they log in, if any private apps are embedded in the hub site, they are not displayed because the authentication the user just completed cannot be passed to the web app. This also means when the user clicks on Explore in an app gallery, it prompts the user for sign in prior to the user being able to see the app even though they just signed in. Users are expecting that community users (a member of the user's separate communityorg.maps.arcgis.com ) only ever signs in/up & interact with the Hub Site Application or other WebGIS apps associated with a project/initiative. It is not expected for many community users to use the home application (unless that community user is already familiar with GIS - which is an important population but not the target of the Hub product).

解决办法

The following workaround steps allow the Gallery card to appear after logging in only once. However, the following steps do not work for the Iframe card.

  1. Navigate to the redirect URL: https://www.arcgis.com/home/signin.html?returnUrl=https://case02241554-ess.hub.arcgis.com/.
  2. Input username and password.
  3. The Gallery card which is on the right and titled, “case02241554_webapp.” Select the Explore button. It appears without requiring an additional log in.

This technology solves the issue but did not offer a user experience where citizens can come in from Google search results, a news article, a tweet, etc. It also means that if the user logs in any way other than through the redirect URL, the iframes in the page would not function and they have to log in multiple times. As a custom domain has been set up to direct donors, this workaround does not allow users to use their custom domain and is difficult to ensure use.

重现步骤

漏洞 ID: BUG-000119198

软件:

  • ArcGIS Online

从 ArcGIS 专家处获得帮助

联系技术支持部门

下载 Esri 支持应用程序

转至下载选项

发现关于本主题的更多内容

Esri 社区

搜索相关信息

培训

查找与此主题相关的培训

ArcGIS Ideas

探索想法并提供反馈