ArcGIS supports secure authentication using OAuth2.0 protocols. To authenticate using OAuth 2.0, you need to create OAuth credentials and implement user authentication or app authentication in your application. You can use these authentication workflows to access secure services and content hosted in a portal.
To authenticate requests using OAuth 2.0, you need to have one of the following accounts:
- ArcGIS Online account
- ArcGIS Location Platform account
- ArcGIS Enterprise account
The easiest way to implement an OAuth 2.0 workflow is to integrate the request module from ArcGIS REST JS, which streamlines the authentication process.
How to use OAuth credentials
The recommended way to implement OAuth 2.0 is to use the ArcGISIdentityManager module from ArcGIS REST JS.
Below are the typical steps for implementing browser-based OAuth 2.0.
- Sign in to your portal.
- Create or use an existing OAuth 2.0 application.
- Get the client ID and redirect URI from your application.
- Set the client ID (in your application).
- Create a callback page defined in the redirect URI that will complete the authentication process.
- Set the generated token where authentication is a required parameter.
To learn about other types of OAuth 2.0 authentication methods, go to Implement user authentication (server) tutorial.
User authentication
User authentication is a set of authentication workflows that allow users with an ArcGIS account to sign into an application and access ArcGIS content, services, and resources. The typical authentication protocol used is OAuth 2.0. When a user signs into an application with their ArcGIS account, an access token is generated that authorizes the application to access services and content on their behalf. The resources and functionality available depend on the user type, roles, and privileges of the user's ArcGIS account. This authentication type was previously known as Named user login and ArcGIS identity.
If your application will access your users' secure content in ArcGIS or if you plan to distribute your application through ArcGIS Marketplace, you must use user authentication.
App authentication
App authentication, formerly known as app credential authentication, is a type of authentication that grants a short-lived access token to applications based on a set of OAuth 2.0 credentials. The resources and functionality available depend on the user type, roles, and privileges of your ArcGIS account.
Examples
User authentication with ArcGIS REST JS
This example uses the ArcGISIdentity module from ArcGIS REST JS.
import { ArcGISIdentityManager } from "@esri/arcgis-rest-request";
// register your own app to create a unique clientId
const clientId = "YOUR_CLIENT_ID"
// send the user to the authorization page
ArcGISIdentityManager.beginOAuth2({
yourClientId,
redirectUri: 'https://yourapp.com/authenticate.html'
})
.then(authenticationManager => {
console.log(authenticationManager)
});import { ArcGISIdentityManager } from "@esri/arcgis-rest-request";
const clientId = "YOUR_CLIENT_ID"
/**
* after the user authorizes the application they will be redirected to
* the page defined in redirectUri which will need to complete the
* authentication process.
**/
ArcGISIdentityManager.completeOAuth2({
yourClientId,
redirectUri: 'https://yourapp.com/authenticate.html'
});User authentication without ArcGIS REST JS
This example shows how to configure an OAuth 2.0 workflow without the helper methods from ArcGIS REST JS.
const yourClientID = "YOUR_CLIENT_ID";
let accessToken;
const callbacks = [];
const protocol = window.location.protocol;
const callbackPage = protocol + "./oauth-callback.html";
function oauth(callback) {
if (accessToken) {
callback(accessToken);
} else {
callbacks.push(callback);
window.open(
"https://www.arcgis.com/sharing/oauth2/authorize?client_id=" +
yourClientID +
"&response_type=token&expiration=20160&redirect_uri=" +
window.encodeURIComponent(callbackPage),
"oauth",
"height=400,width=600,menubar=no,location=yes,resizable=yes,scrollbars=yes,status=yes"
);
}
}/* Once the user is authorized, the access token must be retrieved.*/
let match;
if (window.location.hash && (match = window.location.hash.match(/#access_token=([^&]+)/))) {
if (window.opener && window.opener.parent) {
window.opener.parent.oauthCallback(match[1]);
} else {
window.parent.oauthCallback(match[1]);
}
window.close();
}