IapConfiguration Class | ArcGIS Maps SDK for Qt

IapConfiguration

class Esri::ArcGISRuntime::Authentication::IapConfiguration

The Identity-Aware Proxy (IAP) configuration information used by an IapCredential. More...

Header:	`#include <IapConfiguration.h>`
Since:	Esri::ArcGISRuntime 300.0
Inherits:	Esri::ArcGISRuntime::Object and Esri::ArcGISRuntime::JsonSerializable

List of all members, including inherited members

Public Functions

virtual	~IapConfiguration() override
Esri::ArcGISRuntime::Authentication::IapAuthorizationPromptType	authorizationPromptType() const
QUrl	authorizeUrl() const
bool	canBeUsedForUrl(const QUrl &url) const
QString	clientId() const
QString	clientSecret() const
QStringList	hostsBehindProxy() const
QString	iapClientId() const
QUrl	logoutUrl() const
QUrl	redirectUrl() const
QStringList	scopes() const
QUrl	tokenUrl() const
bool	operator==(Esri::ArcGISRuntime::Authentication::IapConfiguration *other) const

Reimplemented Public Functions

virtual QString toJson() const override

Static Public Members

Esri::ArcGISRuntime::Authentication::IapConfiguration *	create(const QUrl &authorizeUrl, const QUrl &tokenUrl, const QUrl &logoutUrl, const QString &clientId, const QString &clientSecret, const QUrl &redirectUrl, const QString &iapClientId, const QStringList &scopes, const QStringList &hostsBehindProxy, Esri::ArcGISRuntime::Authentication::IapAuthorizationPromptType authorizationPromptType, QObject *parent = nullptr)
QFuture<Esri::ArcGISRuntime::Authentication::IapConfiguration *>	createAsync(const QString &path, QObject *parent = nullptr)
Esri::ArcGISRuntime::Authentication::IapConfiguration *	createForMicrosoft(const QString &tenantId, const QString &clientId, const QUrl &redirectUrl, const QStringList &hostsBehindProxy, Esri::ArcGISRuntime::Authentication::IapAuthorizationPromptType authorizationPromptType, QObject *parent = nullptr)
Esri::ArcGISRuntime::Authentication::IapConfiguration *	fromJson(const QString &json, QObject *parent = nullptr)

Detailed Description

Currently, only the Microsoft Entra Application Proxy is supported via the Microsoft Identity Platform.

Member Function Documentation

`[override virtual noexcept]` IapConfiguration::~IapConfiguration()

Destructor.

Esri::ArcGISRuntime::Authentication::IapAuthorizationPromptType IapConfiguration::authorizationPromptType() const

Returns the type of user interaction required for authentication and consent while signing in to the Identity-Aware Proxy (IAP).

The default value is IapAuthorizationPromptType::Unspecified, which defines the default user interaction behavior for the Identity-Aware Proxy (IAP). It optimizes the user experience by minimizing unnecessary credential prompts. The single sign-on (SSO) experience is determined by the authenticated Identity-Aware Proxy (IAP) session within the web session. - User will not be prompted to enter credential unless necessary. - If multiple user accounts are signed in, a select account interface will be displayed to allow users to choose their desired account.

QUrl IapConfiguration::authorizeUrl() const

Returns the Identity-Aware Proxy (IAP) authorize endpoint that facilitates user authentication.

This URL is presented in the web session, allowing users to enter their credentials. Upon successful authentication, an authorization code is received, which can be used to generate tokens for secure access to protected resources.

bool IapConfiguration::canBeUsedForUrl(const QUrl &url) const

Returns if this configuration can be used for the given URL.

url - The URL to check.

A configuration can be used for a URL if the URL's host matches one of the hosts specified in the configuration's hosts behind proxy.

QString IapConfiguration::clientId() const

Returns a unique application-specific identifier associated with an application which is registered with the Identity-Aware Proxy (IAP) portal.

This identifier is utilized by the Identity-Aware Proxy (IAP) to determine which application is attempting to authenticate. It is essential for accurately recognizing and processing authentication requests, ensuring that only the correct application is granted access to protected resources.

QString IapConfiguration::clientSecret() const

Returns a private key used to verify that the application is authorized to access secured services.

This key establishes trust between the application and the Identity-Aware Proxy (IAP), ensuring that only authenticated applications can request access to protected resources. It must be kept confidential to prevent unauthorized access. Notably, Microsoft Entra Application Proxy does not require a client secret for authorization and token generation.

`[static]` Esri::ArcGISRuntime::Authentication::IapConfiguration IapConfiguration::create(const QUrl &authorizeUrl, const QUrl &tokenUrl, const QUrl &logoutUrl, const QString &clientId, const QString &clientSecret, const QUrl &redirectUrl, const QString &iapClientId, const QStringList &scopes, const QStringList &hostsBehindProxy, Esri::ArcGISRuntime::Authentication::IapAuthorizationPromptType authorizationPromptType*, QObject **parent* = nullptr)

Returns an Identity-Aware Proxy (IAP) configuration from the specified parameters.

authorizeUrl - The Identity-Aware Proxy (IAP) authorize endpoint that facilitates user authentication.
tokenUrl - The Identity-Aware Proxy (IAP) endpoint responsible for generating access, ID, and refresh tokens.
logoutUrl - The Identity-Aware Proxy (IAP) endpoint used to log the user out of the web session and invalidate any associated tokens.
clientId - A unique application-specific identifier associated with an application which is registered with the Identity-Aware Proxy (IAP) portal.
clientSecret - A private key used to verify that the application is authorized to access secured services.
redirectUrl - The URL that the Identity-Aware Proxy (IAP) login and logout pages will redirect to when authentication completes. The scheme of this URL must be registered as a custom URL scheme in the application.
iapClientId - A unique identifier associated with an application which is registered with the Identity-Aware Proxy (IAP) portal. Notably, Microsoft Entra Application Proxy does not require an IAP client ID for authorization and token generation.
scopes - A list of permissions that define the access level for which the user should be authenticated.
hostsBehindProxy - The hosts of the ArcGIS resources that are to be accessed behind the Identity-Aware Proxy (IAP).
authorizationPromptType - The type of user interaction required for authentication and consent while signing in to the Identity-Aware Proxy (IAP).
parent - The optional parent QObject.

`[static]` QFuture<Esri::ArcGISRuntime::Authentication::IapConfiguration > IapConfiguration::createAsync(const QString &path*, QObject **parent* = nullptr)

Creates an Identity-Aware Proxy (IAP) configuration from a JSON file on disk.

path - The path to the IAP configuration JSON file on disk.
parent - The optional parent QObject.

The format of the JSON file for Microsoft Entra Application Proxy should be as follows: ```JSON { "authorize_url" : "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize", "token_url" : "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token", "logout_url" : "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/logout", "client_id" : "<client_id>", "redirect_url" : "<redirect_url>", "scope" : [ "<client_id>/.default", "offline_access", "openid", "profile" ], "hosts_behind_proxy" : ["*.domain.com"], "authorization_prompt_type" : "<empty string, none, login, consent, or select_account>" } ```.

This method returns a QFuture for the asynchronous operation. Use future.then() to continue processing when the operation completes. Use future.onFailed() to handle exceptions of type ErrorException.

See Working with QFuture for further details.

`[static]` Esri::ArcGISRuntime::Authentication::IapConfiguration IapConfiguration::createForMicrosoft(const QString &tenantId, const QString &clientId, const QUrl &redirectUrl, const QStringList &hostsBehindProxy, Esri::ArcGISRuntime::Authentication::IapAuthorizationPromptType authorizationPromptType*, QObject **parent* = nullptr)

Returns an Identity-Aware Proxy (IAP) configuration for Microsoft Entra Application Proxy from the specified parameters.

tenantId - A unique identifier assigned to an organization's instance in Microsoft Entra ID.
clientId - A unique application-specific identifier associated with an application which is registered with the Identity-Aware Proxy (IAP) portal.
redirectUrl - The URL that the Identity-Aware Proxy (IAP) login and logout pages will redirect to when authentication completes. The scheme of this URL must be registered as a custom URL scheme in the application.
hostsBehindProxy - The hosts of the ArcGIS resources that are to be accessed behind the Identity-Aware Proxy (IAP).
authorizationPromptType - The type of user interaction required for authentication and consent while signing in to the Identity-Aware Proxy (IAP).
parent - The optional parent QObject.

`[static]` Esri::ArcGISRuntime::Authentication::IapConfiguration IapConfiguration::fromJson(const QString &json*, QObject **parent* = nullptr)

Convert a JSON string to an object.

json - The JSON string.
parent - The optional parent QObject.

QStringList IapConfiguration::hostsBehindProxy() const

Returns the hosts of the ArcGIS resources that are to be accessed behind the Identity-Aware Proxy (IAP).

Supports the use of wildcards (*) to facilitate flexible access control. For example, - `["*"]`: Applies the ID token to all requests, allowing access to any host. - `["*.domain.com"]`: Applies the ID token to all requests that match the specified domain, which includes all subdomains. - `["*.subdomain.domain.com"]`: Applies the ID token to all requests that match the specified subdomain, providing granular control over access.

QString IapConfiguration::iapClientId() const

Returns a unique identifier associated with an application which is registered with the Identity-Aware Proxy (IAP) portal.

QUrl IapConfiguration::logoutUrl() const

Returns the Identity-Aware Proxy (IAP) endpoint used to log the user out of the web session and invalidate any associated tokens.

This endpoint ensures that the user's session is securely terminated, preventing further access to protected resources.

QUrl IapConfiguration::redirectUrl() const

Returns the URL that the Identity-Aware Proxy (IAP) login and logout pages will redirect to when authentication completes. The scheme of this URL must be registered as a custom URL scheme in the application.

QStringList IapConfiguration::scopes() const

Returns a list of permissions that define the access level for which the user should be authenticated.

The following scopes will be added if they are missing, as they are essential for generating the necessary tokens and ensuring appropriate access to protected resources: - `offline_access`: This scope allows an application to request permission to obtain refresh tokens from the authorization server. The refresh token enables the application to regenerate short-lived access and ID tokens without requiring the user to log in again. - `openid`: This scope permits an application to request an ID token from the authorization server. The ID token is essential for authenticating users with the Identity-Aware Proxy (IAP). - `profile`: This scope allows an application to request access to the user's basic profile information, including their name and username.

`[override virtual]` QString IapConfiguration::toJson() const

Reimplements: JsonSerializable::toJson() const.

Convert and returns an object to JSON string.

QUrl IapConfiguration::tokenUrl() const

Returns the Identity-Aware Proxy (IAP) endpoint responsible for generating access, ID, and refresh tokens.

This endpoint is used to exchange the authorization code for tokens that allow secure access to protected resources.

bool IapConfiguration::operator==(Esri::ArcGISRuntime::Authentication::IapConfiguration **other*) const

Returns true if the comparison succeeds and the objects are equal, false otherwise.

other - The other Identity-Aware Proxy (IAP) configuration to compare.