OAuth 2.0 is a standard for handling authentication decisions among various web-enabled devices and servers.

The OAuth 2.0 specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs.

  User Authentication with OAuth 2.0

In other words, OAuth 2.0 is not an identity provider because OAuth 2.0 does not know anything about users. It is not an authorization protocol because OAuth 2.0 does not care about what you authenticate or your permissions model.

OAuth 2.0 only cares about HOW credentials are requested and transmitted over the network.

ArcGIS Online and OAuth 2.0

ArcGIS Online performs authorization using an OAuth 2.0 based workflow for several reasons.

  • OAuth 2.0 meets the needs of both users and applications.
  • There are strong security practices around OAuth 2.0.
  • OAuth 2.0 is designed to function at Internet-scale across domains, networks, cloud services, and applications.
  • As a widely accepted standard OAuth 2.0 has many libraries and helpers for a variety of languages and platforms.

Version Support

Support for OAuth 2.0 was added to ArcGIS Server and Portal for ArcGIS at version 10.3. Using version 10.3 or later allows you to perform named user login or app login with your on-premise portal acting as the OAuth 2.0 server.

Grant types

ArcGIS Online uses the following grant types from the OAuth 2.0 specification:

  • implicit for browser mobile and native applications
  • authorization_code for server, mobile, and native applications
  • client_credentials for application authentication

OAuth 2.0 REST endpoints

  • Token Endpoint: https://www.arcgis.com/sharing/rest/oauth2/token/
  • Authorization Endpoint: https://www.arcgis.com/sharing/rest/oauth2/authorize

More Information

To continue implementing OAuth 2.0 follow the implementation guides for named user login or app login.