-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
getService, getLayer should automatically retry failed requests sans authentication #920
Comments
I thought we already did this, maybe down at the request level. I looked at that code, but it's really hard to follow. So you're saying this definitely does not happen today? |
We support this but not automatically. See #503. We allow calling There are also a few other solutions to this which are reasonable to implement in the application:
The other reason I'm hesitant to do this automatically is that we cannot know if the getService({
url: "some unknown service",
authentication: someUserSession
}).catch(err => {
if (err.name === 'ArcGISAuthError') {
// Did the token expire and we need to refresh it? Or is this a public service that the session isn't good for?
// It is difficult for us to know.
err.retry(() => Promise.resolve(undefined))
.then(response)
}
}) This ties into something larger that I wanted to discuss though which is, what is our default refresh behavior? This example consider the following scenario: You implement oAuth 2.0 on the server with a refresh token on the server and short lived tokens on the client. Ideally you would want want to define a single |
@patrickarlt those strike me as fair arguments and I like the idea of focusing on broad solutions, though I think @tomwayson would probably have more to say in that realm. I did notice and mention the
I think the key is that I've only observed this behavior with requests to ArcGIS Server. Have you observed this behavior in the context of the Portal API as well? |
I do agree that we should handle this, it is just a question of how. I agree it should be low level probally as low as
REST JS is fundamentally different because:
There are 2 use cases I would ideally like to handle:
I think we handle this like this:
|
@tomwayson @gavinr @jwasilgeo and I met on this. We can't decide on the best way forward. There isn't a good consensus on HOW we should resolve this issue since it is complex and the auth flow is already rather complex. |
Background
ArcGIS Server tries to validate any token passed in a request whether or not authentication is needed for that request. This can lead to a scenario such as the following:
Bob creates a
Feature Service
item on ArcGIS Enterprise for a public feature service on AGOL. The consuming application sends an ArcGIS Enterprise authentication token in requests to the AGOL service. The service tries to validate the token with AGOL and fails, preventing the request from succeeding. If a token is not sent, the request is successful since the service is public.Solution
A simple and bullet-proof approach to solving this would be to
cc @rgwozdz @tomwayson
The text was updated successfully, but these errors were encountered: