Keep in mind the following considerations when you using anonymous views or forms with K2 Cloud:
- Once you configured the Anonymous Access property on a view or form, an OAuth token must be cached with the K2 Cloud Application Pool account in order for the form to have user context in SharePoint. To create the cached token, you must open the anonymously-enabled view or form for the first time as a user with sufficient minimum rights to perform the SharePoint site, list or library actions. When you do this using the account, K2 Cloud checks the anonymous setting and, if on, uses the token of the currently logged-in user to access SharePoint resources. This token is then associated (cached) with the K2 Cloud Application Pool account. Then, whenever the anonymous view or form is opened, K2 Cloud uses the cached OAuth token to access SharePoint. In other words, K2 Cloud uses the OAuth token of the first user that opens the anonymous form for all subsequent times the form is opened, regardless of what user is signed in.
Do not use an Administrator account or other account with privileged access to generate the anonymous access token. Instead, use a SharePoint user that has minimum rights to run the form successfully (the minimum rights depend on the solution and what you've designed it to do). It is recommended that you define a specific account to use for all anonymous access, and then give this account the necessary rights in SharePoint for all anonymous views and forms. Whenever you need to enable a view or form for anonymous access and generate the OAuth token, open it for the first time using this account so that all anonymous views and forms use the same token. If needed you can disable access to a SharePoint resource for that account, or give it greater access, which applies to all of your anonymous views and forms.
- All other views and forms that run anonymously are accessed with the token created in the beginning by the first user that opens the view or form.
- You can delete the cached token for the Application Pool account by going to the Management site.
- The cached token is not specific to a view or form, it is shared amongst all anonymous-enabled views and forms that use the same account token.
Configuring the Anonymous Access Setting