The process of programmatically verifying users and requesting an access token is called an authentication flow. User authentication can be implemented using several different authorization flows. This section provides an overview of the different flows, as well as a comparison below.
In general, user authentication flows are divided into OAuth 2.0 flows and Non-OAuth flows. An OAuth 2.0 flow is recommended for almost all use cases, except for some developers working with ArcGIS Enterprise.
| Authentication flow | OAuth 2.0 compliant | OAuth 2.0 grant_ | Use cases |
|---|---|---|---|
| Authorization code with PKCE | ✔ | authorization_ | Client-side apps such as native apps, mobile apps, and web applications without a server-side component |
| Authorization code | ✔ | authorization_ with PKCE | Web apps with a server-side component |
| Implicit | ✔ | implicit | Deprecated. No longer recommended for use. |
| Generate token | ✖ | ✖ | Trusted or local applications when other flows cannot be used |
| Integrated Windows Authentication (IWA) | ✖ | ✖ | ArcGIS Enterprise applications |
| Public key infrastructure (PKI) | ✖ | ✖ | ArcGIS Enterprise applications |
OAuth 2.0 flows
ArcGIS follows the industry-standard OAuth 2.0 protocol for authorization. It supports the following OAuth 2.0 flows for user authentication.
Authorization code with PKCE
Authorization code flow with Proof Key for Code Exchange (PKCE) is the primary OAuth 2.0 flow that ArcGIS recommends for user authentication. It is an extension of the authorization code flow that implements Proof Key for Code Exchange (PKCE) as an additional layer of security.
It uses the OAuth 2.0 authorization_ grant type and requires a client_ from a set of OAuth credentials.
All of the Authentication and Identity classes in ArcGIS APIs and SDKs use this flow for user authentication. Support for PKCE was introduced in 2020 for ArcGIS Online and at version 10.8.1 for ArcGIS Enterprise.
Authorization code
The authorization code flow is an OAuth 2.0 flow used to implement user authentication. It uses the authorization_ grant type and requires a client_ from a set of OAuth credentials.
This flow grants an access token to petitioners using a multi-step process. First, users request an authorization code from the authorization endpoint by providing their username and password. They use that authorization code to request an access token from the token endpoint. The access token can then be used to authorize requests to secure ArcGIS resources.
Implicit (deprecated)
The implicit flow is an OAuth 2.0 flow that was previously used to implement user authentication in client-side web apps. It is considered deprecated in current versions of ArcGIS, and the Authorization code flow with PKCE is now recommended instead.
This flow grants an access token to petitioners using a single-step process. Users request an access token directly from the authorization endpoint by providing their username and password and setting a response_ of token. The access token can then be used to authorize requests to secure ArcGIS resources
Non-OAuth 2.0 flows
ArcGIS supports additional user authentication flows that do not adhere to the OAuth 2.0 protocol. They include the following:
- Generate token flow
- Integrated Windows Authentication (IWA) flow for ArcGIS Enterprise
- Public Key Infrastructure (PKI) flow for ArcGIS Enterprise.
Generate token
Enterprise flows
These flows are only supported by ArcGIS Enterprise portal services.
Integrated Windows Authentication (IWA)
This method manages user login through Microsoft Windows Active Directory and the user typically manually enters their username + password. To use Integrated Window Authentication, you will need to configure it in ArcGIS Enterprise.
Public key infrastructure (PKI)
Public and private digital keys support authentication and secure communication over insecure networks. To use PKI, you need to configure it in ArcGIS Enterprise using either Lightweight Directory Access Protocol (LDAP) or Windows Active Directory.
Tutorials
Create OAuth credentials for user authentication
Sign in with user authentication
Create an application that requires users to sign in with an ArcGIS account.