Implicit flow | Documentation

The Implicit flow is an OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more authorization protocol that can be used to implement user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more. This page provides an overview of the flow and explains how to implement it.

Diagram illustrating the OAuth 2.0 implicit authentication flow in ArcGIS, where a user signs in and the app receives an access token directly without an authorization code exchange. OAuth 2.0 implicit authentication has been deprecated and is no longer recommended for use. — Figure A: The Implicit user authentication flow.

The Implicit flow is an OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more workflow previously used in client-facing web applications. Authorization occurs in a single step, with the app requesting an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more directly from the authorization endpointAn authorization endpoint is an ArcGIS portal service endpoint that can be queried to request an authorization code. It is used to implement user authentication OAuth2.0 flows.Learn more.

The general steps of how the Implicit flow works are:

Application sends a request to the authorization endpointAn authorization endpoint is an ArcGIS portal service endpoint that can be queried to request an authorization code. It is used to implement user authentication OAuth2.0 flows.Learn more that includes a client_id and redirect_url from OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more. The response_type is specified as token.
The application user signs in with an ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more. The authorization endpoint verifies the user's identity and returns an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more to the specified redirect URL.
Application uses the access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more to authorize requests to secure resourcesA secure resource is any item or service in an ArcGIS that requires an ArcGIS account and authentication to access. Examples include ArcGIS Location Services, and items and data services in an ArcGIS portal.Learn more.

Manual implementation

The remainder of this page shows how to manually implement user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more without using an ArcGIS APIAn ArcGIS API is a web, native, game engine, or scripting API that has advanced mapping and spatial analysis capabilities and can be used to access ArcGIS services. ArcGIS APIs are designed to work optimally with the ArcGIS system and provide the most advanced GIS features and the highest performance possible.Learn more or Maps SDKArcGIS Maps SDKs are developer products for building mapping and spatial analysis applications for web browsers, native devices, and game engines.Learn more. Instead, authentication is implemented by directly making HTTP requests to the proper REST APIArcGIS REST APIs are the API specifications for all ArcGIS location services and ArcGIS Enterprise services. They define the operations, parameters, and structures required to make HTTPS requests.Learn more endpoints.

This sample is written in JavaScript, but can be implemented in any language. It adheres to the OAuth 2.0 specification for the Implicit flow.

Create OAuth credentials

User authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more requires a set of OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more. These credentials are used to generate a client IDA Client ID is an identifier associated with an application that assists with client / server OAuth 2.0 authentication for ArcGIS client APIs.Learn more for your application and authorize redirect URLs. Please review the product and account requirements for user authentication prior to creation.

Configure authentication variables

Copy your client ID and chosen redirect URL from your OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more and include them in your app.

index.html
Use dark colors for code blocks
        const clientId = '<YOUR_CLIENT_ID>';
        const redirectUri = '<YOUR_REDIRECT_URL>';

        let session = null;
        let map = null;
        const signInButton = document.getElementById('sign-in');
        const signOutButton = document.getElementById('sign-out');

Request an access token

Format a GET request to the authorization endpointAn authorization endpoint is an ArcGIS portal service endpoint that can be queried to request an authorization code. It is used to implement user authentication OAuth2.0 flows.Learn more. Include your client_id and redirect_uri, and set the response_type parameter to token.

index.html
Use dark colors for code blocks
        const authorizationEndpoint = 'https://www.arcgis.com/sharing/rest/oauth2/authorize' +
            '?client_id=' + clientId +
            '&redirect_uri=' + window.encodeURIComponent(redirectUri) +
            '&response_type=token' +
            '&expiration=20160';

When the user clicks 'Sign in', open the authorization endpoint in a new window.

index.html
Use dark colors for code blocks
        const authorizationEndpoint = 'https://www.arcgis.com/sharing/rest/oauth2/authorize' +
            '?client_id=' + clientId +
            '&redirect_uri=' + window.encodeURIComponent(redirectUri) +
            '&response_type=token' +
            '&expiration=20160';

        signInButton.addEventListener('click', () => window.open(authorizationEndpoint, 'oauth-window', 'height=400,width=600,menubar=no,location=yes,resizable=yes,scrollbars=yes,status=yes'));

Create a callback

Create a callback function in index.html that will receive the authorization code.

index.html
Use dark colors for code blocks
            const oauthCallback = (authorizationCode) => {

            }
            window.oauthCallback = oauthCallback; //required due to the module scope of this script

Create a new HTML page at the location of your redirect URI. When a user successfully authenticates at the authorization endpoint, they will be redirected to this page.

callback.html
Use dark colors for code blocks

<!DOCTYPE html>
  <head>
    <title>ArcGIS user authentication OAuth 2.0 callback (vanilla JS)</title>
  </head>
  <body>
    <script type="module">

    </script>
  </body>
</html>

Retried the access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more returned from the endpoint. It is found in the hash parameter of the URL. Pass the token to the callback function created in index.html.

callback.html
Use dark colors for code blocks

<!DOCTYPE html>
  <head>
    <title>ArcGIS user authentication OAuth 2.0 callback (vanilla JS)</title>
  </head>
  <body>
    <script type="module">

        const match = (window.location.hash) ? window.location.hash.match(/\token=([^&]+)/) : false;
        // if we found an access token in the URL, pass the token up to a global function in index.html
        if(match[1]) {
            window.opener.oauthCallback(match[1]);
        }
        window.close();

    </script>
  </body>
</html>

Serialize session info

Serialize the session information from the authorization endpoint and add it to local storage to make the session persistent across page refreshes.

index.html
Use dark colors for code blocksCopy
        const updateSession = (sessionInfo) => {
            const userInfo = document.getElementById('user-info');

            if (!sessionInfo) {
                localStorage.removeItem("__ARCGIS_USER_SESSION__");
                session = null;

                destroyApp();

                // signed out sidebar state
                userInfo.classList.add('hide');
                userInfo.innerHTML = ``;
                signOutButton.classList.add('hide');
                signInButton.classList.remove('hide');
            }

            else {
                session = sessionInfo;
                localStorage.setItem("__ARCGIS_USER_SESSION__", JSON.stringify(session));

                // signed in sidebar state
                userInfo.classList.remove('hide');
                userInfo.innerHTML = `Welcome, ${sessionInfo.username}.`;
                signOutButton.classList.remove('hide');
                signInButton.classList.add('hide');
            }

        }