OAuth 2.0 is a standard for handling authentication decisions among various web-enabled devices and servers.
The OAuth 2.0 specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs.
In other words, OAuth 2.0 is not an identity provider because OAuth 2.0 does not know anything about users. It is not an authorization protocol because OAuth 2.0 does not care about what you authenticate or your permissions model.
OAuth 2.0 only cares about HOW credentials are requested and transmitted over the network.
ArcGIS Online and OAuth 2.0
ArcGIS Online performs authorization using an OAuth 2.0 based workflow for several reasons.
- OAuth 2.0 meets the needs of both users and applications.
- There are strong security practices around OAuth 2.0.
- OAuth 2.0 is designed to function at Internet-scale across domains, networks, cloud services, and applications.
- As a widely accepted standard OAuth 2.0 has many libraries and helpers for a variety of languages and platforms.
Support for OAuth 2.0 was added to ArcGIS Server and ArcGIS Enterprise portal at version 10.3. Using version 10.3 or later allows you to perform named user login or app login with your on-premise portal acting as the OAuth 2.0 server.
ArcGIS Online uses the following grant types from the OAuth 2.0 specification:
implicitfor browser mobile and native applications
authorization_codefor server, mobile, and native applications
client_credentialsfor application authentication
OAuth 2.0 REST endpoints
- Token Endpoint:
- Authorization Endpoint: