OAuth 2.0

OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage user credentials for web, desktop, and mobile applications.

Users, clients, or servers are authorized for system access using encrypted tokens, and receive access tokens in response from the authorizing server. These tokens act as "keys", granting access to secured data for a fixed time period.

How does ArcGIS use OAuth 2.0?

ArcGIS uses OAuth 2.0 to safely expose ArcGIS identity to 3rd party applications.

ArcGIS Platform stores private user identities and content; 3rd party applications access those resources through secure OAuth 2.0 user authorization protocol.

ArcGIS APIs contain a built-in IdentityManager or AuthenticationManager class that can be used to obtain an ArcGIS identity and simplify your process when implementing OAuth 2.0. See ArcGIS identity for more information about these classes.

Use OAuth 2.0 to get temporary tokens that authorize your app with ArcGIS Platform in one of two ways:

  • ArcGIS identity: for applications that use an existing ArcGIS Platform end user's log in to access secure content and services on their behalf; transactions are metered to the user's account.
  • Application credentials: for applications that access ready-to-use services on ArcGIS Platform using the registered application's credentials; transactions are metered to the owner of the registered application.

Get credentials

You must first register your application and obtain a client_id and client_secret. Use the method proscribed by the platform from which you are building your app to authorize your users and obtain an OAuth 2.0 access_token. You should also set up a redirect URI at this time.

OAuth 2.0 grant types

ArcGIS uses the following OAuth 2.0 grant types:

  • implicit for browser-based, desktop, and mobile applications using ArcGIS identity.
  • authorization_code for server and mobile applications using ArcGIS identity.
  • client_credentials for application credentials.

OAuth 2.0 endpoints

OAuth 2.0 workflows use the following endpoints:

ArcGIS OnlineArcGIS Enterprise
  • Token: https://www.arcgis.com/sharing/rest/oauth2/token/
  • Authorization: https://www.arcgis.com/sharing/rest/oauth2/authorize
  • Token: http://<host>:<port>/arcgis/sharing/rest/oauth2/token/
  • Authorization: http://<host>:<port>/arcgis/sharing/rest/oauth2/authorize

Implementing OAuth 2.0

Serverless web apps

Web apps with ArcGIS identity workflow

  1. Open the authorization page in a pop-up or new tab.
  2. User authorizes your application.
  3. The pop-up or tab is redirected to the configured redirect URI on your website with an appended access token.
  4. Your website passes the access token to the original page that began the OAuth 2.0 process.
Learn more about the serverless web workflow

Serverless native and mobile apps

Web apps with ArcGIS identity workflow

  1. Open the authorization page in a browser on the device.
  2. User authorizes your application.
  3. The browser is redirected to the configured redirect URI, which opens your application on the device with an authorization code.
  4. Your application exchanges the authorization code for an access token and a refresh token.
Learn more about the serverless native / mobile workflow

Server-enabled apps

Server based applications with ArcGIS identity workflow

  1. Open the authorization page in a browser on the device.
  2. User authorizes your application.
  3. The browser is redirected to the configured redirect URI on your server with an appended authorization code.
  4. Your server exchanges the authorization code for an access token and a refresh token.
  5. This refresh token can be stored on the server and the access token provided to the client application.
Learn more about the server-enabled worflow

Application credentials

Application credentials workflow diagram

  1. Register your OAuth 2.0 application in the developer dashboard to receive credentials.

    You will need to set up a way to manage your credentials on your server.

  2. Your application calls the token endpoint with its client id and client secret.

  3. The token endpoint responds with an access token.

  4. You can use the application credential either on your server to make requests to ArcGIS Platform or send the application credential to the client to make requests to ArcGIS Platform.

Application credentials were primarily established to access ready-to-use services. Most use cases for application credentials have been updated / replaced by API keys.

Learn more about application credentials

Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.