App authentication is a type of authentication that generates short-lived access tokens based on a set of OAuth credentials. The access tokens are associated with your ArcGIS account, and can be used to to authenticate requests to location services and private items.
App authentication is typically implemented on a web server or in standalone console scripts. This is to avoid exposing the confidential client_ and client_ values contained within OAuth credentials. App authentication is not recommended for client applications without a web server, or in private applications that require users to sign in.
You can use app authentication to:
- Authenticate on web servers or standalone console scripts.
- Access location services.
- Access secure items in a portal.
- Authenticate with an OAuth 2.0 process that provides better security than API key authentication.
- Create public applications that allow users to remain anonymous.
- Access secure resources with the privileges of your ArcGIS account.
How app authentication works
Apps that implement app authentication submit requests for access tokens using an OAuth 2.0 client_ and client_. These values are generated from OAuth credentials and should remain confidential at all times.
The high-level process of app authentication is as follows:
- Include a
client_andid client_from OAuth credentials in your server script.secret - Create an endpoint for clients to request access tokens.
- When a client requests a token, submit a request to the token endpoint of your portal service.
- Deliver the resulting access token to the client.
- The client uses the access token to access secure resources.
- Include a
client_andid client_from OAuth credentials in your script.secret - Submit a request to the token endpoint of your portal service.
- Use the resulting access token to access secure resources
OAuth credentials
OAuth credentials are an item used to support authentication workflows. They are required to implement user authentication and app authentication using OAuth 2.0 workflows.
Limitations
App authentication can only be used to access location services and secure items in a portal. API keys cannot be used to access spatial analysis services or the portal service.
The following table is an overview of the resources and the functionality available when implementing each type of authentication:
| API key authentication | User authentication | App authentication | |
|---|---|---|---|
| Location services | |||
| Data services (Item access) | |||
| Spatial analysis services | |||
| Portal service (General privileges) | |||
| Portal service (Admin privileges) |