User authentication flows

The process of programmatically verifying users and requesting an is called an authentication flow. can be implemented using several different authorization flows. This section provides an overview of the different flows, as well as a comparison below.

In general, user authentication flows are divided into OAuth 2.0 flows and Non-OAuth flows. An OAuth 2.0 flow is recommended for almost all use cases, except for some developers working with .

Authentication flow compliantOAuth 2.0 grant_typeUse cases
Authorization code with PKCEauthorization_codeClient-side apps such as native apps, mobile apps, and web applications without a server-side component
Authorization codeauthorization_code with PKCEWeb apps with a server-side component
ImplicitimplicitDeprecated. No longer recommended for use.
Generate tokenTrusted or local applications when other flows cannot be used
Integrated Windows Authentication (IWA)ArcGIS Enterprise applications
Public key infrastructure (PKI)ArcGIS Enterprise applications

OAuth 2.0 flows

ArcGIS follows the industry-standard OAuth 2.0 protocol for authorization. It supports the following OAuth 2.0 flows for .

Authorization code with PKCE

Authorization code flow with Proof Key for Code Exchange (PKCE) is the primary OAuth 2.0 flow that ArcGIS recommends for . It is an extension of the authorization code flow that implements Proof Key for Code Exchange (PKCE) as an additional layer of security.

It uses the OAuth 2.0 authorization_code grant type and requires a client_id from a set of .

All of the AuthenticationManager and IdentityManager classes in ArcGIS and use this flow for . Support for PKCE was introduced in 2020 for and at version 10.8.1 for .

Authorization code

The authorization code flow is an OAuth 2.0 flow used to implement . It uses the authorization_code grant type and requires a client_id from a set of .

This flow grants an to petitioners using a multi-step process. First, users request an authorization code from the authorization endpoint by providing their username and password. They use that authorization code to request an access token from the token endpoint. The access token can then be used to authorize requests to secure ArcGIS resources.

Implicit (deprecated)

The implicit flow is an OAuth 2.0 flow that was previously used to implement in client-side web apps. It is considered deprecated in current versions of ArcGIS, and the Authorization code flow with PKCE is now recommended instead.

This flow grants an to petitioners using a single-step process. Users request an access token directly from the authorization endpoint by providing their username and password and setting a response_type of token. The access token can then be used to authorize requests to secure ArcGIS resources

Non-OAuth 2.0 flows

ArcGIS supports additional flows that do not adhere to the OAuth 2.0 protocol. They include the following:

Generate token

Enterprise flows

These flows are only supported by .

Integrated Windows Authentication (IWA)

This method manages user login through Microsoft Windows Active Directory and the user typically manually enters their username + password. To use Integrated Window Authentication, you will need to configure it in ArcGIS Enterprise.

Public key infrastructure (PKI)

Public and private digital keys support authentication and secure communication over insecure networks. To use PKI, you need to configure it in ArcGIS Enterprise using either Lightweight Directory Access Protocol (LDAP) or Windows Active Directory.

Tutorials

Create OAuth credentials for user authentication

Create and configure OAuth credentials to set up user authentication.


Sign in with user authentication

Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.

You can no longer sign into this site. Go to your ArcGIS portal or the ArcGIS Location Platform dashboard to perform management tasks.

Your ArcGIS portal

Create, manage, and access API keys and OAuth 2.0 developer credentials, hosted layers, and data services.

Your ArcGIS Location Platform dashboard

Manage billing, monitor service usage, and access additional resources.

Learn more about these changes in the What's new in Esri Developers June 2024 blog post.

Close