OAuth credentials (for user authentication)

OAuth credentials are an item used to support authentication workflows. They are required to implement user authentication and app authentication using OAuth 2.0 workflows.

Most user authentication flows require a valid client_id from a set of OAuth credentials. They also require a redirect URI to be configured in the OAuth credential settings.

Create OAuth credentials (for user authentication)

You can create OAuth credentials by using the Developer credentials tool in your portal.

Redirect URLs

A redirect URL is a required parameter of user authentication flows. This is the URL that your application will direct users to after they successfully authenticate.

Redirect URLs are managed as a property of OAuth credentials. They can be added to your credentials during the creation process, or any time through the Settings panel of the credentials item page.

To add a redirect URL to your developer credentials, complete the following steps:

1. Sign in to your portal and search for your developer credentials.

2. Go to the item page of the credentials and click Settings > Application.

3. Under Redirect URLs, add the URL that you want to direct users to after completing authentication. This URL varies based on your application and typically takes the format of "https://<server>[:port]/callback.html" or "http://my-arcgis-app:/auth". This is a valid web page or server endpoint to which a user can be redirected after successful sign in.

   • For example, if you are running an application on https://localhost:8080, add https://localhost:8080/callback.html to the list of redirect URLs. The exact URL depends on the name of your callback page and the programming language you are using. If you are following a "Sign in with user authentication" ArcGIS tutorial, it will specify the name of your callback page.
   

Privileges and item access

When implementing user authentication, your application inherits all privileges and item access rights from the signed-in ArcGIS user. Although OAuth credentials provide settings to manage privileges and item access, these settings are not used in user authentication. To learn how OAuth credentials manage privileges and item access for other types of authentication, go to OAuth credentials (for app authentication)

Referrers

A referrer is an HTTP header field used to identify the client requesting a server resource. This functions as a security measure, allowing applications to confirm their client's identity. When OAuth credentials have a specific HTTP referer header set, services can confirm that an incoming request's referrer matches one of the valid referrers assigned to that access token.

Specific domains can be provided or you can use wildcard characters (*) in the subdomain of your allowed referrer. For example https://*.your-app.com will allow the access token to be used on both https://dev.your-app.com and https://your-app.com. While it is also possible to restrict access token use to specific paths (https://your-app.com/page), we do not recommend this method because browsers may remove the path due to privacy concerns.

Usage tracking

All services and content accessed with OAuth credentials are tracked. You can monitor the usage of credentials in order to view the consumption of services and the billing amount.

The steps to monitor usage vary based on the type of ArcGIS account the credentials were created with: