UserSession.authorize() 2nd param "response"
See original GitHub issueCould somebody clarify what the required 2nd parameter for UserSession.authorize()
is supposed to be? The documentation indicates it should be a ServerResponse
, but I’m having trouble finding any further info.
The idea of passing in a response feels strange. Is this a bug? If not, documentation for this would be very helpful.
Not passing it in gives me this (probably expected) error:
Relevant part of docs: https://esri.github.io/arcgis-rest-js/api/auth/UserSession/#authorize
Thanks!
Issue Analytics
- State:
- Created 4 years ago
- Comments:9 (6 by maintainers)
Top Results From Across the Web
Auth0.js v9 Reference
The authorize() method can be used for logging in users via Universal Login , or via social connections, as exhibited in the examples...
Read more >Using OAuth 2.0 for Web Server Applications | Authorization
Step 1: Set authorization parameters · Step 2: Redirect to Google's OAuth 2.0 server · Step 3: Google prompts user for consent ·...
Read more >UserSession | API Reference | ArcGIS REST JS - Esri GitHub
authorize (options: IOAuth2Options, response: ServerResponse). void. Begins a new server-based OAuth 2.0 sign in. This will redirect the user to the ArcGIS ...
Read more >Authorisation session API - Connect2id
Use the authorisation session API to attach a login UI and one or more user ... Example response, listing key parameters of an...
Read more >Sessions In Postman - Tools QA
The following image shows the Postman sessions holding two values of ... Go to Authorization tab and select No Auth in the Authorization...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
We absolutely need to get into this 😄 there are 2 Oauth flows that REST JS supports:
What you are trying to do is server side auth on the client which is REALLY bad for security.
Server side oauth normally works like this:
UserSession.authorize()
](https://github.com/Esri/arcgis-rest-js/blob/master/packages/arcgis-rest-auth/src/UserSession.ts#L426-L442) where the user enters their credentials.UserSession.exchangeAuthorizationCode()
Since a refresh token represents PERMANENT and UNREVOKABLE access to the users account you should NEVER store or use it client side where it could be compromised (hence why the refresh is delivered to the server). auth0 has some good doc on this.
It isn’t even possible to implement this on the client because the oauth endpoint will respond with and HTML page that the user has to fill out in order to generate the code and then redirects to a new page to generate the code at step 2.
If you want refresh tokens you need to get your own Node server running and do proper oAuth (sorry). You can store the token (not the refresh token on the client) and if the token expires generate a new token on the server. You can see an example of that here https://github.com/Esri/arcgis-rest-js/blob/master/demos/webmap-checker-sapper/src/utils.js#L4-L33 and https://github.com/Esri/arcgis-rest-js/blob/master/demos/webmap-checker-sapper/src/routes/auth/exchange-token.js. If the token expires we can refresh server side and re-run anything on the client.
If you cannot run your own server you need to use the client side Oauth flows in https://github.com/Esri/arcgis-rest-js/tree/master/demos/oauth2-browser. Since you can freely send regular tokens your backend making your workflow look like this:
UserSession.beginOAuth2()
.I hope this helps.
It is expected to be (at least) a
http.ServerResponse
https://nodejs.org/api/http.html#http_class_http_serverresponse which might be wrapped in your framework like https://expressjs.com/en/4x/api.html#res in Express or https://github.com/hapijs/hapi/blob/master/API.md#request.raw in HAPIDepending on your exact framework you need to pass in something. You can see how we use this in https://github.com/Esri/arcgis-rest-js/blob/master/packages/arcgis-rest-auth/src/UserSession.ts#L435-L441 (hint we just call
writeHead()
andend()
).@jgravois this needs more docs. I’m assigning to me.