Configure trusted services
With the configuration described here, you define the rules that determine which services are considered trusted services and how tokens must be transmitted. Clients can then query the rules from the Identity Service and use them to determine whether they may obtain a token for a service and forward it to that service.
Configuration
You define the rules via the configuration parameter security.oauth.tokenRules of the Identity Service.
For example, to configure the service https://www.example.com/my-trusted-service as a trusted service, use the following setting:
# .identity-service/application.properties
security.oauth.tokenRules=https://www.example.com/my-trusted-service,BEARER;The following sections describe some examples for configuring trusted services.
Example: ArcGIS Enterprise portal
In this example, we assume you are using an application that uses ArcGIS Enterprise portal as its identity provider.
To allow users in applications like map.apps or smart.finder to access non-public portal resources, you must also configure the portal as a trusted service. However, if ArcGIS Enterprise portal is configured for Integrated Windows Authentication (IWA), this configuration is unnecessary.
Add the portal as a trusted service as follows if it is not configured for IWA:
security.oauth.tokenRules=https://arcgis.example.com/portal,TOKEN;For ArcGIS Enterprise portal, the application must usually pass the token as a ?token=<token> parameter.
Therefore, TOKEN should be used as the transport type.
Example: ArcGIS Server
In this example, we assume you are using an application that uses ArcGIS Enterprise Portal as its identity provider. If you want to grant applications like map.apps or smart.finder access to non-public services of a federated ArcGIS Server, you must configure the federated server as a trusted service.
security.oauth.tokenRules=https://arcgis.example.com/server,TOKEN;For ArcGIS Servers, the application must usually pass the token as a ?token=<token> parameter.
Therefore, TOKEN should be used as the transport type.
Alternatively, you can use the transport type BEARER if the application should pass the token in the Authorization header.
When using BEARER, you must additionally configure the configuration parameter cors.request.trustedServers in applications like map.apps.
If the portal is connected to multiple federated servers, you must include each federated server in the configuration.
security.oauth.tokenRules=https://arcgis1.example.com/server,TOKEN;https://arcgis2.example.com/server,TOKEN;Example: ArcGIS Online
In this example, we assume you are using ArcGIS Online as your identity provider. To allow applications to integrate services published in your ArcGIS Online organization, you must configure the following URLs:
security.oauth.tokenRules=https://<organization-name>.maps.arcgis.com,TOKEN;https://services.arcgis.com/<organization-id>/arcgis,TOKEN;Replace <organization-name> with the name of your organization in ArcGIS Online.
Replace <organization-id> with the ID of your organization in ArcGIS Online.
To determine the ID of your organization, proceed as follows:
-
In ArcGIS Online, go to the Content tab and click on a service in your organization.
-
In the service overview, you will find the service URL, e.g.
https://services.arcgis.com/ObdACOfl4Z5LP2D0/arcgis/rest/services/TestLayer/FeatureServer -
Copy the part needed for the configuration. In this example, it is
ObdACOfl4Z5LP2D0.
If you want to use services from more than one organization, you must list all URLs:
security.oauth.tokenRules=https://<organization-name>.maps.arcgis.com,TOKEN;https://services.arcgis.com/<organization1-id>/arcgis,TOKEN;https://services.arcgis.com/<organization2-id>/arcgis,TOKEN;Example: GeoServer
In this example, we assume you are using Keycloak as your identity provider. Additionally, GeoServer is also directly connected to the same Keycloak, as described in GeoServer Keycloak Authentication .
To allow applications to send the token to GeoServer, GeoServer must be registered as a trusted service in the Identity Service as follows:
security.oauth.tokenRules=https://example.com/geoserver,BEARERWhen using BEARER, you must additionally configure the configuration parameter cors.request.trustedServers in applications like map.apps.