OAuth 2.0
OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage user credentials for web, desktop, and mobile applications.
Users, clients, or servers are authorized for system access using encrypted tokens, and receive access tokens in response from the authorizing server. These tokens act as "keys", granting access to secured data for a fixed time period.
How does ArcGIS use OAuth 2.0?
ArcGIS uses OAuth 2.0 to safely expose ArcGIS identity to 3rd party applications.
ArcGIS Platform stores private user identities and content; 3rd party applications access those resources through secure OAuth 2.0 user authorization protocol.
ArcGIS APIs contain a built-in IdentityManager
or AuthenticationManager
class that can be used to obtain an ArcGIS identity and simplify your process when implementing OAuth 2.0. See ArcGIS identity for more information about these classes.
Use OAuth 2.0 to get temporary tokens that authorize your app with ArcGIS Platform in one of two ways:
- ArcGIS identity: for applications that use an existing ArcGIS Platform end user's log in to access secure content and services on their behalf; transactions are metered to the user's account.
- Application credentials: for applications that access ready-to-use services on ArcGIS Platform using the registered application's credentials; transactions are metered to the owner of the registered application.
Get credentials
You must first register your application and obtain a client_id
and client_secret
. Use the method proscribed by the platform from which you are building your app to authorize your users and obtain an OAuth 2.0 access_token
. You should also set up a redirect URI at this time.
OAuth 2.0 grant types
ArcGIS uses the following OAuth 2.0 grant types:
implicit
for browser-based, desktop, and mobile applications using ArcGIS identity.authorization_code
for server and mobile applications using ArcGIS identity.client_credentials
for application credentials.
OAuth 2.0 endpoints
OAuth 2.0 workflows use the following endpoints:
- Token:
https://www.arcgis.com/sharing/rest/oauth2/token/
- Authorization:
https://www.arcgis.com/sharing/rest/oauth2/authorize
- Token:
http://<host>:<port>/arcgis/sharing/rest/oauth2/token/
- Authorization:
http://<host>:<port>/arcgis/sharing/rest/oauth2/authorize
Implementing OAuth 2.0
Serverless web apps
- Open the authorization page in a pop-up or new tab.
- User authorizes your application.
- The pop-up or tab is redirected to the configured redirect URI on your website with an appended access token.
- Your website passes the access token to the original page that began the OAuth 2.0 process.
Serverless native and mobile apps
- Open the authorization page in a browser on the device.
- User authorizes your application.
- The browser is redirected to the configured redirect URI, which opens your application on the device with an authorization code.
- Your application exchanges the authorization code for an access token and a refresh token.
Server-enabled apps
- Open the authorization page in a browser on the device.
- User authorizes your application.
- The browser is redirected to the configured redirect URI on your server with an appended authorization code.
- Your server exchanges the authorization code for an access token and a refresh token.
- This refresh token can be stored on the server and the access token provided to the client application.
Application credentials
Register your OAuth 2.0 application in the developer dashboard to receive credentials.
Your application calls the token endpoint with its client id and client secret.
The token endpoint responds with an access token.
You can use the application credential either on your server to make requests to ArcGIS Platform or send the application credential to the client to make requests to ArcGIS Platform.
Application credentials were primarily established to access ready-to-use services. Most use cases for application credentials have been updated / replaced by API keys.
Learn more about application credentials