OAuth authentication now defaults to automatically use short-lived access tokens generated via two-step with Proof Key for Code Exchange (PKCE) flow. This will be the default behavior for applications using the default page redirection for OAuth sign-in. This update follows the recommendations suggested in the OAuth 2.0 Security Best Current Practices specifications.
Prior to this version, the default was to use the one-step flow. Once authenticated, an access token would append as a URL hash to the client in a single step. This could potentially cause problems if the token was leaked or stolen since any resource accessible using this token would also be compromised.
Applications utilizing two-step authentication with user sign in via a popup window should opt in by setting flowType = "authentication-code"
. In addition, any existing callback page should be updated to support it. To aid in this, the default oauth-callback.html has been updated to allow for the two-step approach, although it will still work if using the one-step flow.
This update should be transparent with no changes needed by the developer if popups are not used for signing in and the application accesses ArcGIS Online or a version of ArcGIS Enterprise that supports PKCE.
flowType
property on OAuthInfo. Set this property to specify the type of authentication to use.Version 3.40 of the ArcGIS API for JavaScript includes:
dgrid1
directory, whereas for version 0x reference the
dgrid
directory. Please refer to the
dgrid 0.4 Migration Guide for additional information on migrating to the newer version.
Use the repository on GitHub for the JS API TypeScript definitions.