UserSession.authorize() 2nd param "response"

I’m guessing this method was written to be handled on the back end with the traditional auth model, which our app doesn’t use. This is all being done on the front end for various reasons I won’t get into here 😁

We absolutely need to get into this 😄 there are 2 Oauth flows that REST JS supports:

1. Client side (no refresh tokens, Oauth “Implicit Flow”)
2. Server side (refresh tokens, Oauth “Authorization Code Flow”)

What you are trying to do is server side auth on the client which is REALLY bad for security.

Server side oauth normally works like this:

1. The server redirects the user to the ArcGIS authorization page UserSession.authorize()](https://github.com/Esri/arcgis-rest-js/blob/master/packages/arcgis-rest-auth/src/UserSession.ts#L426-L442) where the user enters their credentials.
2. The authorization page generates a authorization code (not a token) and redirects user back to your redirect URL.
3. Your redirect URL should handle exchanging the code for a token and refresh token UserSession.exchangeAuthorizationCode()
4. Your server then has the refresh token to store securely.

Since a refresh token represents PERMANENT and UNREVOKABLE access to the users account you should NEVER store or use it client side where it could be compromised (hence why the refresh is delivered to the server). auth0 has some good doc on this.

It isn’t even possible to implement this on the client because the oauth endpoint will respond with and HTML page that the user has to fill out in order to generate the code and then redirects to a new page to generate the code at step 2.

If you want refresh tokens you need to get your own Node server running and do proper oAuth (sorry). You can store the token (not the refresh token on the client) and if the token expires generate a new token on the server. You can see an example of that here https://github.com/Esri/arcgis-rest-js/blob/master/demos/webmap-checker-sapper/src/utils.js#L4-L33 and https://github.com/Esri/arcgis-rest-js/blob/master/demos/webmap-checker-sapper/src/routes/auth/exchange-token.js. If the token expires we can refresh server side and re-run anything on the client.

If you cannot run your own server you need to use the client side Oauth flows in https://github.com/Esri/arcgis-rest-js/tree/master/demos/oauth2-browser. Since you can freely send regular tokens your backend making your workflow look like this:

1. Frontend checks for a cookie with a token
2. If the cookie exists send the token to the backend to do the work
3. If a cookie doesn’t exist or the token has expired ask the user to sign in again with UserSession.beginOAuth2().

I hope this helps.

It is expected to be (at least) a http.ServerResponse https://nodejs.org/api/http.html#http_class_http_serverresponse which might be wrapped in your framework like https://expressjs.com/en/4x/api.html#res in Express or https://github.com/hapijs/hapi/blob/master/API.md#request.raw in HAPI

Depending on your exact framework you need to pass in something. You can see how we use this in https://github.com/Esri/arcgis-rest-js/blob/master/packages/arcgis-rest-auth/src/UserSession.ts#L435-L441 (hint we just call writeHead() and end()).

@jgravois this needs more docs. I’m assigning to me.