An ArcGIS identity, also known as named user, grants a short-lived access token giving your application permission to access the content and services authorized to your application user's existing ArcGIS Online or ArcGIS Enterprise account.
This temporary token is created using the OAuth 2.0 protocol. It authorizes your application to act on the user's behalf without revealing their secure password to your application. If your application will access your users' secure content in ArcGIS or if you plan to distribute your application through ArcGIS Marketplace, you must use ArcGIS identity authentication.
ArcGIS REST JS provides helper methods for the Node.js server environment to handle authentication in your applications. In this tutorial, you use an OAuth2.0 server-enabled workflow. With server-side authentication, you can use the refresh token generated from the session and stored on your server environment to get a short-lived access token for the user.
Prerequisites
You need an account to register a new OAuth 2.0 application. If you do not have an ArcGIS account you can sign up for a free ArcGIS Developer account.
Update your registered application to specify the Redirect URLs to use for authentication, in the format "https://<server>[:port]" or http://my-arcgis-app:/auth. For example, this tutorial uses http://localhost:3000/authenticate, so you will need to add that URL to your list of redirect URLs.
Generate a session secret and an encryption key. These are used to encrypt session information on the server. You can generate random, secure strings at RandomKeygen.
Steps
Set up a configuration file
In your developer dashboard, get your client ID. Ensure that http//localhost:3000/authenticate is registered for your application.
Open a code editor and create a config.json file. Set the CLIENT_ID and REDIRECT_URI to those configured for your application in your developer dashboard. Set secure strings for the the SESSION_SECRET and the ENCRYPTION_KEY. These can be generated at RandomKeygen.
By using the Node.js express server environment along with express-session and session-file-store, the user's session will persist on the server. The session is not stored on the client-side application and there is no permanent, persistent token stored on the user's machine.
When the user is redirected to the sign in page, the authorize method will be called to take the provided credentials and the response object. After the user is redirected back to the authenticate page, the exchangeAuthorizationCode method will be used to exchange the code from the redirect for a token and instantiate a new user session.
Call the authorize method with credentials and res (the response object) as parameters when the user gets redirected to the sign in page.
Redirect the user to the authorization page. Call the exchangeAuthorizationCode to use the credentials and exchange the code for a token in the session.
When you set up a session, express will set a cookie on the client to keep track of the session ID and persist the corresponding session on the server. By assigning the userSession to the request, the session ID is saved on the user's machine as a secure, encrypted file.
Save the sesssion on the user's machine and redirect the user to the homepage.
Call the use method of express to start implementing express-session. Set the secret to your application's SESSION_SECRET. This is used to encrypt the cookies and session information.
Set the encoder option with the sessionObj to serialize the session object before it is encrypted and stored on disk. The decoder decodes the sessionContent using the encryption key the user specifies.
When you click Sign in, you will be redirected back to your server. The session information including the clientId, the refreshToken, and your username will populate the page: