ArcGIS uses a client credentials flow to implement app authentication. In this flow, a secure server uses a client_
and client_
from a set of OAuth credentials to request an access token, then delivers the token to a client application.
The diagram above explains this flow using the following steps:
-
OAuth credentials are registered in the portal to obtain a
client_
andid client_
.secret -
The confidential
client_
andid client_
are stored in a server-side component.secret -
The server gets an access token by submitting a request to your organization's portal service
-
The server delivers the access token to the client application upon request.
-
The client application uses the access token to authorize requests to secure resources.
This flow adheres to the client_
grant type defined in the OAuth 2.0 specification. The main benefit of this flow is that the server handles requesting an access token, ensuring that the confidential client_
and client_
values are never exposed to the client application. To read more about the client credentials protocol, go to OAuth 2.0 RFC 6749 section 4.4.
Manual implementation
The remainder of this page shows how to manually implement app authentication by making direct requests to your organization's portal service. The sample is written in JavaScript, but can be implemented in any language by making HTTP requests.
Create OAuth credentials
A set of OAuth credentials are required for app authentication. These credentials are created as an item in your organization's portal.
-
Sign in to your portal.
-
Click Content > My content > New item and select Developer credentials.
-
In the Credential types menu, select OAuth credentials.
-
In the Privileges and Item access menus, select the resources your application will need to access.
-
Review your selections and, when you are ready, click Generate credentials.
-
Sign in to your portal.
-
Click Content > My content > New item and select Developer credentials.
-
In the Privileges and Item access menus, select the resources your application will need to access.
-
Review your selections and, when you are ready, click Generate credentials.
Configure authentication variables
-
Copy the
client_
andid client_
parameters from your OAuth credentials and paste them into a new application.secret server.jsUse dark colors for code blocks const clientId = 'YOUR_CLIENT_ID'; const clientSecret = 'YOUR_CLIENT_SECRET';
Request the token endpoint
App authentication is implemented by submitting a request to the token endpoint of your ArcGIS organization.
-
Find the URL of the token endpoint for your ArcGIS organization. For ArcGIS Online and Location Platform users, the token endpoint is
https:
.//www.arcgis.com/sharing/rest/oauth2/token server.jsUse dark colors for code blocks const token_endpoint = ' https://www.arcgis.com/sharing/rest/oauth2/token';
-
Submit an HTTP POST request to the endpoint. Include your
client_
,id client_
, and asecret grant_
parameter set totype 'client_
.credentials' server.jsUse dark colors for code blocks const token_endpoint = ' https://www.arcgis.com/sharing/rest/oauth2/token'; const response = await fetch(token_endpoint, { method: 'POST', headers: { "Content-type":"application/x-www-form-urlencoded" }, body: new URLSearchParams({ 'grant_type':'client_credentials', 'client_id':clientId, 'client_secret':clientSecret }) })
Use the token
After obtaining the access token, you can use it to authorize requests directly from the server or alternatively deliver it to a client application. The method of implementation depends on the framework and libraries you are using.