OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage user credentials for web, desktop, and mobile applications.
Users, clients, or servers are authorized for system access using encrypted tokens, and receive access tokens in response from the authorizing server. These tokens act as "keys", granting access to secured data for a fixed time period.
How does ArcGIS use OAuth 2.0?
ArcGIS uses OAuth 2.0 to safely expose access tokens to 3rd party applications.
ArcGIS stores private user identities and content; 3rd party applications access those resources through secure OAuth 2.0 user authorization protocol.
ArcGIS APIs contain a built-in Identity or Authentication class that can be used to obtain an access token and simplify your process when implementing OAuth 2.0. For more information about these classes, go to user authentication.
Use OAuth 2.0 to get temporary access tokens that authorize your app with ArcGIS in one of two ways:
- User authentication: applications use an existing ArcGIS end user's account to access secure content and services on their behalf; transactions are metered to the user's account.
- App credentials authentication: applications use the registered application's credentials to access ready-to-use services on ArcGIS; transactions are metered to the owner of the registered application.
Get credentials
You must first register your application and obtain a client_ and client_. Use the method prescribed by the product with which you are building your app to authorize your users and obtain an OAuth 2.0 access_. You should also set up a redirect URI at this time.
OAuth 2.0 grant types
ArcGIS uses the following OAuth 2.0 grant types:
implicitfor browser-based, desktop, and mobile applications with user authentication.authorization_for server and mobile applications with user authentication.code client_for app credentials authentication.credentials
OAuth 2.0 endpoints
OAuth 2.0 workflows use the following endpoints:
- Token:
https://www.arcgis.com/sharing/rest/oauth2/token/ - Authorization:
https://www.arcgis.com/sharing/rest/oauth2/authorize
- Token:
http://<host> : < port> /arcgis/sharing/rest/oauth2/token/ - Authorization:
http://<host> : < port> /arcgis/sharing/rest/oauth2/authorize
Implementing OAuth 2.0
Serverless web apps
- Open the authorization page in a pop-up or new tab.
- User authorizes your application.
- The pop-up or tab is redirected to the configured redirect URI on your website with an appended access token.
- Your website passes the access token to the original page that began the OAuth 2.0 process.
Serverless native and mobile apps
- Open the authorization page in a browser on the device.
- User authorizes your application.
- The browser is redirected to the configured redirect URI, which opens your application on the device with an authorization code.
- Your application exchanges the authorization code for an access token and a refresh token.
Server-based apps
- Open the authorization page in a browser on the device.
- User authorizes your application.
- The browser is redirected to the configured redirect URI on your server with an appended authorization code.
- Your server exchanges the authorization code for an access token and a refresh token.
- This refresh token can be stored on the server and the access token provided to the client application.