How to implement user authentication | Documentation

This topic outlines the high-level steps of how to implement user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more.

1. Create OAuth credentials
Create developer credentials in your organization's portal.
2. Implement an OAuth flow
Add authorization code to your app.
3. Make a request
Use an access token to authorize service requests.

1. Create OAuth credentials

User authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more requires a set of OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more. These credentials are used to generate a client IDA Client ID is an identifier associated with an application that assists with client / server OAuth 2.0 authentication for ArcGIS client APIs.Learn more for your application and authorize redirect URLs. Please review the product and account requirements for user authentication prior to creation.

2. Implement an OAuth flow

Diagram illustrating the ArcGIS user authentication flow, where a user signs in and the application receives tokens to access resources on the user’s behalf.

The typical user authentication flow. To view concrete examples, go to User authentication flows

The next step is to implement a user authentication flow by adding authentication code to your application. ArcGIS supports several different user authentication flows that you can implement, most of which adhere to the OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more specification.

The OAuth 2.0 Authorization code flow with PKCE is the recommended flow for all client-facing applications. This is the authorization flow used by ArcGIS Maps SDKsArcGIS Maps SDKs are developer products for building mapping and spatial analysis applications for web browsers, native devices, and game engines.Learn more and scripting APIsAn ArcGIS API is a web, native, game engine, or scripting API that has advanced mapping and spatial analysis capabilities and can be used to access ArcGIS services. ArcGIS APIs are designed to work optimally with the ArcGIS system and provide the most advanced GIS features and the highest performance possible.Learn more.

ArcGIS APIs and SDKs

User authentication is typically implemented using an ArcGIS Maps SDKArcGIS Maps SDKs are developer products for building mapping and spatial analysis applications for web browsers, native devices, and game engines.Learn more or a scripting API such as ArcGIS REST JSArcGIS REST JS is a collection of JavaScript modules that can access ArcGIS location services and ArcGIS Enterprise services.Learn more or the ArcGIS API for PythonArcGIS API for Python is a pythonic library for performing GIS visualization, analysis, data management, and GIS system administration tasks.Learn more. These libraries make it easy to implement user authentication using the built-in AuthenticationManager and IdentityManager classes.

ArcGIS Maps SDK for JavaScript

ArcGIS Maps SDK for .NET

ArcGIS Maps SDK for Kotlin

ArcGIS Maps SDK for Swift

ArcGIS Maps SDK for Qt

ArcGIS REST JS

Expand
Use dark colors for code blocksCopy
        const info = new OAuthInfo({
          appId: "YOUR_CLIENT_ID",
        });


        esriId.registerOAuthInfos([info]);
        esriId
          .checkSignInStatus(info.portalUrl + "/sharing")
          .then(() => {
            handleSignedIn();
          })
          .catch(() => {
            handleSignedOut();
          });

        document
          .getElementById("sign-in")
          .addEventListener("click", function () {
            esriId.getCredential(info.portalUrl + "/sharing");
          });

        document
          .getElementById("sign-out")
          .addEventListener("click", function () {
            esriId.destroyCredentials();
            window.location.reload();
          });
        let map;
Expand
Go to tutorial

Manual implementation

User authentication can also be implemented manually by making direct requests to the proper REST API endpoints. To do so, typically make a request to the authorization endpoint and token endpoint of your organization's portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more

This example shows how to implement an OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more authorization code flow with PKCE without an ArcGIS API.

Use dark colors for code blocksCopy
            const authorizationEndpoint = 'https://www.arcgis.com/sharing/rest/oauth2/authorize'+
            '?client_id=' + clientId +
            '&code_challenge=' + codeChallenge +
            '&code_challenge_method=S256' +
            '&redirect_uri=' + window.encodeURIComponent(redirectUri)+
            '&response_type=code'+
            '&expiration=20160';

            signInButton.addEventListener('click', () => window.open(authorizationEndpoint, 'oauth-window', 'height=400,width=600,menubar=no,location=yes,resizable=yes,scrollbars=yes,status=yes'));

            signOutButton.addEventListener('click', () => updateSession(false));

            const oauthCallback = (authorizationCode) => {

                const tokenEndpoint = 'https://www.arcgis.com/sharing/rest/oauth2/token';

                fetch(tokenEndpoint, {
                    method:'POST',
                    body: JSON.stringify({
                        client_id:clientId,
                        grant_type:'authorization_code',
                        code:authorizationCode,
                        redirect_uri:redirectUri,
                        code_verifier:codeVerifier
                    }),
                    headers: {
                        "Content-type": "application/json; charset=UTF-8"
                    }
                })
Go to example

Use dark colors for code blocksCopy

<!DOCTYPE html>
  <head>
    <title>ArcGIS user authentication OAuth 2.0 callback (vanilla JS)</title>
  </head>
  <body>
    <script type="module">

        const match = (window.location.search) ? window.location.search.match(/\?code=([^&]+)/) : false;
        // if we found an authorization code in the URL, pass the token up to a global function in index.html
        if(match[1]) {
            window.opener.oauthCallback(match[1]);
        }
        window.close();

    </script>
  </body>
</html>
Go to example

Generate token flow

The generate token flow can be used in situations where it is not possible to implement secure OAuth 2.0 flows. This flow requests an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more by making a request to the /generateToken endpoint that includes an unencrypted username and password.

cURL

HTTP

Use dark colors for code blocks

Copy

1
2
3
4
5
6
curl https://www.arcgis.com/sharing/rest/generateToken \
-d 'f=json' \
-d 'username=USERNAME' \
-d 'password=PASSWORD' \
-d 'referer=https://www.arcgis.com' \
-d 'client=referer'

Run in Postman

Use dark colors for code blocksCopy
{
  "token": "iX_oSlAphdxzi...",
  "expires": 1609488000000,
  "ssl": true
}

3. Make a request

Implementing user authentication successfully will grant a unique access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more to your application every time a user signs in. The access token will inherit the privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more of the signed-in user's ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more, granting it access to all of the secure resourcesA secure resource is any item or service in an ArcGIS that requires an ArcGIS account and authentication to access. Examples include ArcGIS Location Services, and items and data services in an ArcGIS portal.Learn more the user's account has access to.

ArcGIS APIs and SDKs

If you use user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more with an ArcGIS Maps SDKArcGIS Maps SDKs are developer products for building mapping and spatial analysis applications for web browsers, native devices, and game engines.Learn more, the AuthenticationManager or IdentityManager classes automatically handle authentication with the access token, requiring no additional action from you.

The examples below show how to display a map in apps that implement user authentication.

ArcGIS Maps SDK for JavaScript

ArcGIS Maps SDK for .NET

ArcGIS Maps SDK for Kotlin

ArcGIS Maps SDK for Swift

ArcGIS Maps SDK for Qt

Expand
Use dark colors for code blocksCopy
        function handleSignedIn() {

          map = new Map({
            basemap: "arcgis/topographic", // basemap styles service
          });
          const view = new MapView({
            map: map,
            center: [-118.805, 34.027], // Longitude, latitude
            zoom: 13, // Zoom level
            container: "viewDiv", // Div element
          });

        }
Expand
Go to tutorial

ArcGIS REST APIs

If you implement user authentication manually, your application can include the access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more in requests to REST APIsArcGIS REST APIs are the API specifications for all ArcGIS location services and ArcGIS Enterprise services. They define the operations, parameters, and structures required to make HTTPS requests.Learn more by setting the token parameter.

This example shows how to geocode an address with the geocoding serviceA geocoding service is a service that can search for addresses, place addresses, businesses, reverse geocode coordinates to addresses, provide suggestions for places, and perform bulk geocoding. It is hosted by Esri as the ArcGIS Geocoding service and can also be hosted in ArcGIS Enterprise.Learn more.

cURL

HTTP

Use dark colors for code blocks

Copy

1
2
3
4
curl https://geocode-api.arcgis.com/arcgis/rest/services/World/GeocodeServer/findAddressCandidates \
-d "f=pjson" \
-d "address=1600 Pennsylvania Ave NW, DC" \
-d "token=<YOUR_ACCESS_TOKEN>"

Go to topic

Use dark colors for code blocksCopy
{
    "spatialReference": {
      "wkid": 4326,
      "latestWkid": 4326
    },
    "candidates": [
      {
        "address": "1600 Pennsylvania Ave NW, Washington, District of Columbia, 20500",
        "location": {
          "x": -77.036548499999995,
Expand

Tutorials

Create OAuth credentials for user authentication

Create and configure OAuth credentials to set up user authentication.

ArcGIS portal

Sign in with user authentication

Create an application that requires users to sign in with an ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more.

JavaScript Maps SDK .NET Maps SDK Kotlin Maps SDK Swift Maps SDK Java Maps SDK Qt Maps SDK REST JS (Server)REST JS (Browser)