solution

add esri.github.io/ as another valid redirect_uri for the registered sample app

client_id: zDbzLJW6W4tcxHkj

not sure who owns the item though...

In debugging an issue with Portal, the backing system was setup so that http requests to the api would be 302'd to https requests.

It seems like fetch would follow the 302, but was not smart enough to send the same body if the first request was a POST. Rather, it would send a GET, w/o the f=json&token=34b2js... and that would return the html, which would 💣 the app.

I propose we change that call to force a GET --> return arcgisRest.request(userUrl, { authentication: authMgr, httpMethod: 'GET' });

Still checking if this is a Portal/Enterprise thing, or something unique to this one env. If the latter, we may not need this, but should still consider looking into why the 302 is respected, but the form is not re-sent.

If config.baseURL is set to a value other /, the redirect URL ignores it and just redirects to the root.
This can be resolved by modifying the value of _currentBaseUrl at line 37 of arcgis-oauth-bearer.js to include config.baseURL.
Importing config is needed.
I've tested this change on localhost and a github page deploy and it worked.

Ember Issues:

• after importing both arcgis-rest-auth and arcgis-rest-request we only see arcgis-rest-auth in vendor.js
• after importing either of them, the build time jumps to ~5 minutes... I suspect it's because we are minifiying already minified code.

ArcGIS Rest Issues

• can we also ship un-minified umd output?
• UserSession.beginOAuth2 does not support the following:
  • passing additional flags - showSocialLogins, display
  • specifying pop-up window size
• Ergonomics of UserSession.completeOAuth2 - more a general thing.

Notes

UserSession.completeOAuth2

This requires use to use arcgis-rest-js within theredirect.html file, as well as getting the clientId into that context. Given that we can/have been doing this with ~4 lines of javascript in the <head> of redirect.html, this seems like overkill.

If UserSession.beginOAuth2 could register the callback with a consistent name - i.e. window['__ESRI_REST_AUTH_HANDLER'] instead of window['__ESRI_REST_AUTH_HANDLER_${clientid}'] this would greatly simplify things.

Regardless, we can't use this in torii-provider-arcgis because we need to use the mechanism provided by torii.

Use the ENV.APP.arcgisPortal hash for determining / configuring the portalUrl

when adding in your torii config in config/environment.js, the readme doc under Usage sample code is showing appId. this throws an error because it looks like it really wants apiKey like you have in your test app

When I am logged in to qa but go to opendatadev.arcgis.com, it sort of (but not quite) looks like I'm logged in:

See: #36 (review)

See https://github.com/ArcGIS/opendata-ui/pull/2634#issue-181085917

As Per https://medium.com/@bantic/torii-vulnerability-disclosure-dd98b6d88ec3, Torii < 0.9.1 has a possible exploit if the default redirectUri is used.

While this provider does not use the default, it would still be good to upgrade to latest

To centralize the logic for getting the correct portal url, have the session mixin be able to return a correct portalUrl (based on ENV.APP.arcgisPortal settings) for non-authenticated sessions.

Keep the current logic (using the portalUrl from the cookie/portal-self call) for Auth'd users.

We should deprecate the use of apiKey and switch to clientId.

This is more consistent with the url param in the AOG request, and aligned with oAuth terminology