Configuring trusted services

Trusted services

Through the Identity Service, applications connected to the Identity Service can obtain tokens for access to trusted services. Trusted services, in turn, can use the token to request information about the logged-in person from the Identity Service and authorize access.

Configuration

For a service to be considered trusted and for applications to query tokens for that service, you must register it with the Identity Service. Register a trusted service by adding its request URL to the configuration parameter security.oauth.tokenRules of the Identity Service configuration.

# .identity-service/application.properties
security.oauth.tokenRules=https://www.example.com/my-trusted-service

Example: map.apps

map.apps as a JavaScript browser application requires access to map.apps backend services, for example, for managing apps, bundles, or reports. If you use map.apps together with the Identity Service, you must also configure map.apps as a trusted service so that, for example, access to apps can be authorized on a user-specific basis.

security.oauth.tokenRules=https://www.example.com/mapapps

Example: ArcGIS Server

In this example, we assume that you are using ArcGIS Enterprise portal as the identity provider and map.apps is connected to the identity service.

If you want to grant applications like map.apps or smart.finder access to non-public services of an ArcGIS federated server (federated ArcGIS Server), you need to configure the federated server as a trusted service.

security.oauth.tokenRules=https://www.example.com/mapapps;https://arcgis.example.com/server,TOKEN

If the portal is connected to multiple federated servers, you must include each federated server in the configuration.

security.oauth.tokenRules=https://www.example.com/mapapps;https://arcgis1.example.com/server,TOKEN;https://arcgis2.example.com/server,TOKEN

Example: ArcGIS Online

In this example, we assume that you are using ArcGIS Online as the identity provider and map.apps is connected to the identity service.

If you want to use services published in your organization with map.apps, you have to specify the service URL like this:

security.oauth.tokenRules=https://services.arcgis.com/<organization-id>/arcgis,TOKEN;https://www.example.com/mapapps

To find out the URL of your organization, proceed as follows:

  1. In ArcGIS Online switch to the Content tab and click on an arbitrary service of your organization.

  2. You find the service’s URL in its overview page, for example https://services.arcgis.com/ObdACOfl4Z5LP2D0/arcgis/rest/services/TestLayer/FeatureServer.

  3. Copy the required part from the URL. It is ObdACOfl4Z5LP2D0 in this example.

Replace <organization-id> with the previously determined value. For example:

security.oauth.tokenRules=https://services.arcgis.com/ObdACOfl4Z5LP2D0/arcgis,TOKEN

If you want to use services from multiple organizations, you have to provide all URLs separated by commas:

security.oauth.tokenRules=https://services.arcgis.com/<organization1-id>/arcgis,https://services.arcgis.com/<organization2-id>/arcgis,TOKEN