Hide Table of Contents
What's New archive
What's new in Version 3.40

Updates to OAuth Authentication

OAuth authentication now defaults to automatically use short-lived access tokens generated via two-step with Proof Key for Code Exchange (PKCE) flow. This will be the default behavior for applications using the default page redirection for OAuth sign-in. This update follows the recommendations suggested in the OAuth 2.0 Security Best Current Practices specifications.

Prior to this version, the default was to use the one-step flow. Once authenticated, an access token would append as a URL hash to the client in a single step. This could potentially cause problems if the token was leaked or stolen since any resource accessible using this token would also be compromised.

Applications utilizing two-step authentication with user sign in via a popup window should opt in by setting flowType = "authentication-code". In addition, any existing callback page should be updated to support it. To aid in this, the default oauth-callback.html has been updated to allow for the two-step approach, although it will still work if using the one-step flow.

This update should be transparent with no changes needed by the developer if popups are not used for signing in and the application accesses ArcGIS Online or a version of ArcGIS Enterprise that supports PKCE.

Additional Changes and Enhancements

  • New flowType property on OAuthInfo. Set this property to specify the type of authentication to use.

Bug fixes and enhancements

  • BUG-000136687: Fixed an issue where the Directions widget disappears from the map when resizing the browser window.
  • Fixed an issue where symbol rotation was not honored while printing a web map with custom Arcade expressions.
  • Fixed an issue where the Legend for the relationship renderer didn't properly display text in right-to-left languages.

Additional packages

Version 3.40 of the ArcGIS API for JavaScript includes:

  • ArcGIS Arcade 1.17 (since version 3.40)
  • dgrid versions
    • dgrid version 1.3.3 (since version 3.35)
    • dgrid version 0.3.21 (since version 3.35)
      NOTE: If working with version 1x, please reference the dgrid1 directory, whereas for version 0x reference the dgrid directory. Please refer to the dgrid 0.4 Migration Guide for additional information on migrating to the newer version.
  • Dojo version 1.16.4 (since version 3.38)
  • dstore version 1.2.1 (since version 3.35)
  • put-selector version 0.3.6 (since version 3.13)
  • xstyle version 0.3.3 (since version 3.28)

Additional Resources on GitHub

Use the repository on GitHub for the JS API TypeScript definitions.

Show Modal