search

Esri / arcgis-rest-js

compact, modular JavaScript wrappers for the ArcGIS REST API
https://developers.arcgis.com/arcgis-rest-js/
Apache License 2.0
347 stars 120 forks source link

Passing X-Esri-Authorization token in the request header for ArcGIS enterprise server for token based authentication #1087

Closed JANA-hinukollu closed 1 year ago

JANA-hinukollu commented 1 year ago

Describe the bug

Hi All, I want to hide the token passed as a query parameter in every map request. The Web App Builder application is querying arcgis portal for resources passing the token every time. I need to hide this token from the query parameter. I found that ESRi has suggested to send the token in the X-ESRI-Authorization header instead of as query parameter in the below link

Access ArcGIS token-secured web services—ArcGIS Server Administration (Windows) | Documentation for Ar...

Kindly let me know how to configure the JavaScript application to send the token in the X-ESRI-Authorization header instead of as query parameter.

Thanks

Hari

Reproduction

Nothing yet.

Logs

No response

System Info

10.6.1

Additional Information

No response

gavinr commented 1 year ago

Hi, thank you for the question. This area is only for issues related to the ArcGIS REST JS software (https://developers.arcgis.com/arcgis-rest-js/). Are you sure you're using ArcGIS REST JS? If you're using ArcGIS Web AppBuilder, you are most likely not using ArcGIS REST JS.

If you are indeed using ArcGIS REST JS, please provide a replication case or example code where you're sending the request so we can attempt to replicate your issue. Thank you!

JANA-hinukollu commented 1 year ago

Hi, thank you for the question. This area is only for issues related to the ArcGIS REST JS software (https://developers.arcgis.com/arcgis-rest-js/). Are you sure you're using ArcGIS REST JS? If you're using ArcGIS Web AppBuilder, you are most likely not using ArcGIS REST JS.

@gavinr Thanks for the reply. You are right, we are not using the ArcGIS REST JS client libray, we have an enterprise ArcGIS server hosted in our environment, making direct calls to the server using token based authentication. Our requirement is to hide the token from query params and send it in the request header by following this article. https://enterprise.arcgis.com/en/server/latest/administer/windows/accessing-arcgis-token-secured-web-services.htm

I have created the code sample here for reproducing it, in the example below I am using the ArcGIS REST JS client to make the request only for demo, but locally we are directly calling the ArcGIS server, not using any library but we are seeing the same error as attached below. https://codesandbox.io/s/cors-issue-p48jo9?file=/src/index.js

CORS Issue

patrickarlt commented 1 year ago

@JANA-hinukollu if you are using ArcGIS REST JS you need to do one of the following.

ArcGIS Servers (portal, enterprise, online) don't support the OPTIONS request on the GET requests to support the X-Esri-Authorization header. So you need to either:

  1. Use the token and hideToken options in ArcGIS REST JSs request options
  2. continue using headers["X-Esri-Authorization"] but change the httpMethod to POST.

Changing httpMethod to POST:

import { request } from "@esri/arcgis-rest-request";

const url = "https://gis02.jana.local/server/rest/services/?f=json";

request(url, {
  httpMethod: "POST", // hiding the token does not work with GET requests
  headers: { 
    "X-Esri-Authorization": "<token-value>"
  } 
}).then(
  (response) => {
    console.log(response); // WebMap JSON
  }
);

Use token and hideToken:

request(url, {
  token: "<token-value>",
  hideToken: true // let ArcGIS REST JS handle hiding the token in the headers
}).then(
  (response) => {
    console.log(response); // WebMap JSON
  }
);