Authentication in ArcGIS

Security is the protection of resources available on a network yet intended for authorized access only. The Internet is one such network, but VPNs and intranets are also possibilities. Your application or the users of your application must authenticate with a qualified agency (any ArcGIS platform such as ArcGIS Online, ArcGIS Enterprise, or other compatible secured service) when you need to access resources that aren't shared publicly.

Your application requires authentication when it tries to do the following:

• Access a user's private content
• Create, edit, and publish content
• Access premium content and services.

Premium content and services include the ArcGIS platform of services that run on a credit-based model. You purchase or otherwise acquire service credits for your ArcGIS Online organization. When your application uses qualifying services, service credits are consumed. The number of service credits spent depends on the service. See Service Credits Overview for details on which services require credits and, for those that do, how many credits are consumed. Because service credits cost real money, and publishing and editing content is important to your business, Esri provides the services and mechanisms to help you protect these valuable resources.

Security methodologies

The ArcGIS platform supports several security methodologies. When you build an app, whether with ArcGIS Runtime or with another technology, you must implement at least one method of authentication in order to access secured resources on behalf of your user. Methods of gaining access to secure resources include:

• OAuth 2.0 (OAuth): The ArcGIS platform determines user authenticity and a token is supplied to the client app. This token is used in subsequent requests for secured resources. OAuth 2.0 is the recommended methodology to use to sign in your users. Available with ArcGIS Online and ArcGIS Enterprise version 10.3 and later.

• Token-based: Your app provides a valid user name and password for the user. In the response, you receive a token that is included with requests for secured content on the portal for authenticated resources. Available with ArcGIS Online and ArcGIS Enterprise version 10.2 or earlier.

• Public Key Infrastructure (PKI): public and private digital keys support authentication and secure communication over insecure networks. In a PKI, the identity of a user, organization, or software agent is represented by a pair of digital keys. Users in a PKI are required to authenticate themselves by presenting their digital keys and are never issued a user name and password. PKI uses a mathematical technique called public key cryptography to generate the digital keys that represent a user or organization.
  
  ArcGIS Enterprise leverages the PKI solution with web servers through the use of ArcGIS Web Adaptors. When a request is made for a resource on ArcGIS Enterprise, the web server authenticates the user by validating the client certificate provided. The request (along with the user name) is then forwarded to ArcGIS Enterprise via the Web Adaptor. ArcGIS Enterprise verifies that the specified user has access to the requested resource before sending back the appropriate response.

• HTTP/Windows Authentication (HTTP basic, HTTP digest or Integrated Windows Authentication (IWA)): resources are protected by user name and password set on the service and prompted by browser popup or session cookie. When you use IWA, logins are managed through Microsoft Windows Active Directory. Users do not sign in and out of the portal website; instead, when they open the website, they are signed in using the same accounts they use to log in to Windows. For more information, refer to Integrated Windows Authentication with your portal.

Typically you work with your server administrator to determine the type of authentication used with your portal and the method required to access it.

Authentication patterns

Within the supported authentication methodologies there are two classes of user: you, the app developer, and individual users of your app. Depending on the user experience you want to expose and the resource access rights you want to attribute to your app, ArcGIS Runtime provides two authentication patterns:

• Named user login
• App login

Named user login

In the named user login pattern, ArcGIS Online users authorize your app to access content and services on their behalf. In this scenario, your app prompts the user for their ArcGIS Online user name and password, and then uses their credentials to access content. Using this model, users consume their own service credits for premium content and may access resources they have access rights to.

In the named user login pattern, your app can access private content owned by the logged-in user or owned by that user’s organization. The app can also access premium content, such as geocoding, routing, and demographic data.

Usage incurred with tokens obtained through named user login is billed to that user's organization. Your app can access any service the logged-in user has access to.

Once a user has authorized your app and you have an access token, your app can do anything that user is allowed to do, including:

• Access premium ArcGIS Online content and services such as geocoding and routing on behalf of the user
• Create, update, and delete that users content
• Share content with other users in the organization
• Access content shared with the user

App login

Use app login to provide your users access to your organization's content and premium content and services on your behalf. In this scenario, your app accesses content using hard-coded credentials that belong to your app (see using a proxy service below to address this potential security risk). This allows access to content the user otherwise may not have permission to. Users are not prompted to log in because they are logged in with your app's credentials. Using this model, users have access to any resources you have access to, and consume your service credits for premium content.

App login is designed for apps whose users are not ArcGIS Online users or for apps that do not require a user login prompt. It’s ideal for distributing apps through app stores, ad-hoc distribution, or web apps. But, if your app uses services that incur cost, you will have to pay the costs. Usage incurred with tokens obtained through app login is billed to your account.

In the app login pattern, users can access premium ArcGIS Online content and services such as routing, geocoding, and demographic data. You register your application on ArcGIS for Developers or on ArcGIS Online. Then use your application's credentials where required in our API to access premium services.

App login can be used to access any of these services:

• Public content (basemaps, layers shared publicly);
• Geocoding;
• Routing and Directions;
• Demographic Data (GeoEnrichment);
• Esri Premium Maps and Layers which require a subscription;
• Elevation Analysis.

There are certain limitations and restrictions using app login.

Named user login vs. app login

Both authentication patterns are compared here and are based on token passing. To help you choose which authentication pattern best serves your needs ask yourself the following questions and use the capabilities table in this section to determine which capabilities you want to include in your app.

If the answer is "Yes" to any of the above questions then it is recommended to implement named user login.

If your users are not ArcGIS Online users, or you do not want to ask users to login, or you want to assume the cost of premium services such as routing, geocoding, and demographic data, then choose app login.

Capabilities table

[1] Usage (if any) billed to a user's organization.
[2] If allowed by user's role and privileges.
[3] Review limitations and restrictions when using app login.

Using a proxy service

Client secrets should never be exposed in any client-side application, whether your app is browser-based, a native app, or a hybrid. Your secret information could be hijacked by a hacker then used without your knowledge. One solution to mitigate the client-side exposure of secrets is to use a proxy service to broker the secret on behalf of your app. Your client-side app sends security sensitive requests to a proxy service, the proxy adds the necessary secrets, and then forwards the request to the service. The service sends the reply back to your proxy and your proxy forwards the reply back to your app.

Esri provides two methods you can choose from to deploy a proxy service for your app:

1. ArcGIS Online hosted proxy service configured on the ArcGIS for Developers website providing publically accessible endpoints for many premium services.
2. A self-hosted resource proxy built in PHP, .NET, or Java that can proxy any ArcGIS service. Esri provides the source code on github.

These proxies can be configured with your Client ID and Client Secret and used in conjunction with either the ArcGIS Runtime, ArcGIS API for JavaScript, Esri Leaflet, or REST.

See our guide to working with proxies for a more detailed description of using a proxy service with your application.

ArcGIS Marketplace apps

ArcGIS Marketplace is a destination that enables ArcGIS users to search, discover, and get apps and content from qualified providers. Apps and content services listed in the marketplace can be made available to any ArcGIS Online organization worldwide. With an app listing in the Marketplace you can sell your app and keep 100% of the sales revenue, provide a free trial of your app, generate new leads, and market to the ArcGIS user community.

There are specific implementation requirements you must follow in order to build an application for the ArcGIS Marketplace.

• Build the app using any of the ArcGIS Runtime SDKs or the ArcGIS API for JavaScript supported by ArcGIS Online
• Implement the named user login pattern with OAuth 2.0.
• Leverage ArcGIS Online subscriptions
• Provide value to the ArcGIS community
• Receive approval from Esri

For more information about the ArcGIS Marketplace see Build apps for ArcGIS Marketplace.

Get started with authentication

Once you decide to integrate authentication into your app, you will be required to register an app on the server. This process sets up the connection and association between your client app and the services of the server. When you register your application with ArcGIS Online you are given credentials that allow you to initiate named user login or app login.

Implementing authentication in your app