Public Map Journal accessing secure content (without login)
simongis opened this issue · 10 comments
Requirement: I want to deploy the map journal to a web server, and allow access from anyone. However, the app itself on ArcGIS Online, the web-maps and the hosted feature services are all secured to my name user and I do not want to share them to the public.
I have successfuly setup GeoForm in a similar fashion to make use of Application Authentication.
- Application was registered in ArcGIS Online
- A proxy in IIS has the ClientID and ClientSecret
- Modified Geoform:
- default.js - lines 18 & 21 has the OAuthID (ClientID) and the proxyURL embedded.
- templateConfig.js - had the following inserted into the define to enforce using the proxy:
// proxy
"httpProxy" : {
"useProxy" : true,
"url" : "https://simon-pc/mwproxy/proxy.ashx",
"alwaysUseProxy" : false,
"rules" : [{
"urlPrefix" : "https://myagofororg.maps.arcgis.com/",
"proxyUrl" : "/DotNet/proxy.ashx"
}
- The proxy itself, had the following rule inserted:
<serverUrl url="http://myagofororg.maps.arcgis.com/"
clientId="AAaaBBo0Y6OrXLuGPt"
clientSecret="nottherealsecretc4613a40a4ad1c4b3319"
oauth2Endpoint="https://myagofororg.maps.arcgis.com/sharing/oauth2"
rateLimit="600"
rateLimitPeriod="60"
matchAll="true"/>
This works fine. The Geoform can be accessed without prompting for a named user. Application Authentication ensures that as long as the Have also got it working with an AppBuilder app in similar fashion. One thing I learnt was that everything has to be owned by the same named user who registered the app.
I am struggling to take this same approach with the Map Journal.
Currently testing on my own box within IIS (which still works with Geoform).
- Have repeated steps 1 & 2 above.
- Have modified the index.html as so. (Lines 40, 43)
- Have also modified config.js to set the default proxy url (line 139)
- The proxy has a similar rule to above, but with the corresponding cliendID/clientSecret.
But hitting the app, I get redirected to https://www.arcgis.com/sharing/oauth2/authorize?client_id=Fake00Y6OrXLuGPt?.....
*Was wondering if someone wanted to help me out here. * I am sure it is something simple I am missing. I can see this being useful for a number of our users (I am from a distributor) and would like to blog about it once I get the process right for a number of the apps.
Im not a seasoned developer, but was also wondering why there is not consistency with how the app template config files are laid out for things like this? Thanks, keep up the great work, this is my favourite template!
Sorry for your issues and thanks for the feedback. We just forgot to add this feature and never got to it. That is going to be fixed with our upcoming release on Monday 29th. As you saw Map Journal currently has a way to define the proxy but that is not going to be used in all case, what Map Journal was missing is the equivalent of the following part in the config
"rules" : [{
"urlPrefix" : "https://myagofororg.maps.arcgis.com/",
"proxyUrl" : "/DotNet/proxy.ashx"
}
We are going to add that in the configuration file app/config.js
, the configuration will be identical.
If you want to do this before the release, add the following code at https://github.com/Esri/map-journal-storytelling-template-js/blob/master/src/app/storymaps/common/Core.js#L234
urlUtils.addProxyRule({
"urlPrefix" : "https://myagofororg.maps.arcgis.com/",
"proxyUrl" : "/DotNet/proxy.ashx"
});
I will close the issue once deployed, we will add an FAQ about this, I will include a link.
@glazou Thanks for such a quick response. I think I will hold off deploying until 29th, but good to know it will be as simple as the other templates. I think a FAQ would be useful to help promote people using application authentication. I see a lot of clients with requirements for a public app, but to consume a few locked down services, and this gets around that problem.
Thanks again.
Update looks great.
Have registered my app thats sitting on my IIS and have a key and secret.
Have setup the proxy and added rules
- Where can I enforce alwaysUseProxy into the config file?
- Is it possible to have a MapJournal as private within my AGO account, but no authentication required when hitting it from a web-server? Or does Application Authentication rely on the app being public in AGO and just deals with authenticating any secure content within the app? I also have other private apps embedded into my journal like the swipe.
Glad you enjoyed it. I haven't accounted for alwaysUseProxy
as to me it seemed limited to very specific use case. You could configure that yourself by adding esri.config.defaults.io.alwaysUseProxy = true;
at https://github.com/Esri/map-journal-storytelling-template-js/blob/master/src/index.html#L337
It should be possible to expose a private story from a web server by using the proxy rules for the application configuration itself. I have never done it but I took a quick look and confirmed that the request for the application configuration will be send to the proxy if there is a proper rules so it should works. Just add a proxy rules with urlPrefix: "http://www.arcgis.com/",
or your organization URL if you are using an organization account.
Having a slow day. Really do appreciate your help here.
- Have made my Map Journal on my AGO account public for now. This consumes a variety of private web-maps, layers and apps (all hosted in my AGO for Org account, under my named user).
I would prefer to have the app on AGO private, as its useless without the unerlying services, but for troubleshooting, I will keep it public. - Downloaded latest version of Map Journal, deployed to my local IIS.
- Registered this App in ArcGIS Online
- Tweaked my index.html to include reference to the Map Journal AppID (l.40). Have not included OAuth ID (which is Client ID) as the comments mentions that this forces users to 'sign-in to access the viewer even if your application is public'
- Have avoided applying the _alwaysUseProxy _rule, as I think this is unnecessary. Only need to pass through the requests that will require authenticating.
- Have tweaked my config.js to add some basic proxy rules (l.134-l.146) to catch any requests to my ArcGIS Online for Organisation account. Hitting my app, I get prompted to login on the 2nd page (which has a secured web-map that belongs to me). No requests get forwarded to my proxy.
I have tried changing the DEFAULT_PROXY_URL (l.169) to "http://lap-304261/yt_proxy/proxy.ashx" but this still does not pass any requests to my proxy.
I have been applying a number of different rules to my proxy, but the app is not passing any requests over to the proxy.
What am I missing? I know its going to be something annoyingly simple.
You must be close, as you noted in your comment in the config file I think the issue is that by default the app will connect to www.arcgis.com but you have configured your proxy rules for your Organization URL http://esriau.maps.arcgis.com/
, if you either edit them to use www.arcgis.com
or change DEFAULT_SHARING_URL
to "//esriau.maps.arcgis.com/sharing/content/items"
it should work
Cool, thanks, will definitely think about documenting everything related to security
Definitely closer. That works for any web-maps embedded into the story map.
But I have also embedded some other apps (e.g. swipe app) that its not working, which kind of makes sense as I guess they are likely iFrames? Let me do some more playing, feel free to close this off, but I might be back with some more workings/lessons learnt
Ok let me know. yes apps are included through a simple iframe so those configuration are not going to be inherited from the main apps. That may be doable through some custom dev, I don't think we could have that in the apps by default as all the apps even story maps have different config it could be hard to draw the line and document. Easiest would be to host all those apps and perform the proxy config for all of them.
Darn. I've got quite a few apps embedded in this story, so thats going to be quite a few I would need to download, register and configure. Understand the reasoning. Might be worth mentioning in the FAQ.