User authentication flows

The process of programmatically verifying users and requesting an access token is called an authentication flow. User authentication can be implemented using several different authorization flows. This section provides an overview of the different flows, as well as a comparison below.

In general, user authentication flows are divided into OAuth 2.0 flows and Non-OAuth flows. An OAuth 2.0 flow is recommended for almost all use cases, except for some developers working with ArcGIS Enterprise.

Authentication flowOAuth 2.0 compliantOAuth 2.0 grant_typeUse cases
Authorization code with PKCEauthorization_codeClient-side apps such as native apps, mobile apps, and web applications without a server-side component
Authorization codeauthorization_code with PKCEWeb apps with a server-side component
ImplicitimplicitDeprecated. No longer recommended for use.
Generate tokenTrusted or local applications when other flows cannot be used
Integrated Windows Authentication (IWA)ArcGIS Enterprise applications
Public key infrastructure (PKI)ArcGIS Enterprise applications

OAuth 2.0 flows

ArcGIS follows the industry-standard OAuth 2.0 protocol for authorization. It supports the following OAuth 2.0 flows for user authentication.

Authorization code with PKCE

Authorization code flow with Proof Key for Code Exchange (PKCE) is the primary OAuth 2.0 flow that ArcGIS recommends for user authentication. It is an extension of the authorization code flow that implements Proof Key for Code Exchange (PKCE) as an additional layer of security.

It uses the OAuth 2.0 authorization_code grant type and requires a client_id from a set of OAuth credentials.

All of the AuthenticationManager and IdentityManager classes in ArcGIS APIs and SDKs use this flow for user authentication. Support for PKCE was introduced in 2020 for ArcGIS Online and at version 10.8.1 for ArcGIS Enterprise.

Authorization code

The authorization code flow is an OAuth 2.0 flow used to implement user authentication. It uses the authorization_code grant type and requires a client_id from a set of OAuth credentials.

This flow grants an access token to petitioners using a multi-step process. First, users request an authorization code from the authorization endpoint by providing their username and password. They use that authorization code to request an access token from the token endpoint. The access token can then be used to authorize requests to secure ArcGIS resources.

Implicit (deprecated)

The implicit flow is an OAuth 2.0 flow that was previously used to implement user authentication in client-side web apps. It is considered deprecated in current versions of ArcGIS, and the Authorization code flow with PKCE is now recommended instead.

This flow grants an access token to petitioners using a single-step process. Users request an access token directly from the authorization endpoint by providing their username and password and setting a response_type of token. The access token can then be used to authorize requests to secure ArcGIS resources

Non-OAuth 2.0 flows

ArcGIS supports additional user authentication flows that do not adhere to the OAuth 2.0 protocol. They include the following:

Generate token

Enterprise flows

These flows are only supported by ArcGIS Enterprise portal services.

Integrated Windows Authentication (IWA)

This method manages user login through Microsoft Windows Active Directory and the user typically manually enters their username + password. To use Integrated Window Authentication, you will need to configure it in ArcGIS Enterprise.

Public key infrastructure (PKI)

Public and private digital keys support authentication and secure communication over insecure networks. To use PKI, you need to configure it in ArcGIS Enterprise using either Lightweight Directory Access Protocol (LDAP) or Windows Active Directory.

Tutorials

Create OAuth credentials for user authentication

Create and configure OAuth credentials to set up user authentication.


Sign in with user authentication

Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.