Authenticate with OAuth

View on GitHub

Sample viewer app

Authenticate with ArcGIS Online (or your own portal) using OAuth2 to access secured resources (such as private web maps or layers). Accessing secured items requires logging in to the portal that hosts them (an ArcGIS Online account, for example).

Image of authenticate with OAuth

Use case

Your app may need to access items that are only shared with authorized users. For example, your organization may host private data layers or feature services that are only accessible to verified users. You may also need to take advantage of premium ArcGIS Online services, such as geocoding or routing services, which require a named user login.

How to use the sample

When you run the sample, the app will load a web map which contains premium content. You will be challenged for an ArcGIS Online login to view the private layers. Enter a user name and password for an ArcGIS Online named user account (such as your ArcGIS for Developers account). If you authenticate successfully, the traffic layer will display, otherwise the map will contain only the public basemap layer.

How it works

Create an AuthenticatorState and set the OAuthConfiguration with the portal URL, client ID, and redirect URI.
Call the toolkit's DialogAuthenticator composable at the top level of your view hierarchy and pass the AuthenticatorState object. Because the AuthenticatorState object has an OAuthConfiguration set, the DialogAuthenticator will prompt for OAuth credentials when the associated Portal is loaded.
Load a PortalItem(...) with connection type Portal.Connection.Authenticated which will issue an authentication challenge.

Configure the manifest.xml to handle the OAuth redirect URI.

Define a second activity in the manifest.xml with the a name OAuthUserSignInActivity from the toolkit

<activity
     android:name="com.arcgismaps.toolkit.authentication.OAuthUserSignInActivity"
     android:launchMode="singleTop"> <!--keeps only one instance to the top of the stack-->

Set the <intent-filter> categories tags to be able to launch a custom browser tab.

<intent-filter>
     <action android:name="android.intent.action.VIEW" />
     <!--required to launch a custom browser tab-->
     <category android:name="android.intent.category.DEFAULT" />
     <category android:name="android.intent.category.BROWSABLE" />

Set the data and host tags to be able to use the redirect URI to navigate back to the app after prompting for OAuth credentials.

<data
     android:host="auth"
     android:scheme="my-ags-app" />

To learn more on setting up the data specification to an intent filter, visit the Android docs.

Relevant API

ArcGISAuthenticationChallengeHandler
ArcGISAuthenticationChallengeResponse
AuthenticationManager
AuthenticatorState
DialogAuthenticator
OAuthUserConfiguration
PortalItem

Additional information

This sample uses the toolkit's authentication module to handle authentication.

The workflow presented in this sample works for all SAML based enterprise (IWA, PKI, Okta, etc.) & social (facebook, google, etc.) identity providers for ArcGIS Online or Portal. For more information, see the topic Set up enterprise logins.

For additional information on using Oauth in your app, see the topic Authenticate with the API in Mobile and Native Named User Login.

For more information on how OAuth works visit OAuth 2.0 with ArcGIS

Sample Code

MapViewModel.kt

MainActivity.kt

MainScreen.kt

Use dark colors for code blocksCopy
/* Copyright 2024 Esri
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 */

package com.esri.arcgismaps.sample.authenticatewithoauth.components

import android.app.Application
import androidx.lifecycle.AndroidViewModel
import com.arcgismaps.httpcore.authentication.OAuthUserConfiguration
import com.arcgismaps.mapping.ArcGISMap
import com.arcgismaps.mapping.PortalItem
import com.arcgismaps.portal.Portal
import com.arcgismaps.toolkit.authentication.AuthenticatorState
import com.arcgismaps.toolkit.geoviewcompose.MapViewProxy

class MapViewModel(application: Application) : AndroidViewModel(application) {

    // This should also be passed to the composable MapView this mapViewProxy is associated with.
    val mapViewProxy = MapViewProxy()

    // The AuthenticatorState is used to manage the state to handle authentication challenges.
    val authenticatorState = AuthenticatorState().apply {
        // Set up OAuth configuration if you want to use OAuth. Leaving the oAuthoUserConfiguration
        // null will instead see the user challenged for credentials in an AlertDialog.
        oAuthUserConfiguration = OAuthUserConfiguration(
            "https://www.arcgis.com",
            // This clientId is a unique identifier associated with an application registered with
            // the portal. Your app will need its own clientId which you can create here:
            // https://developers.arcgis.com/documentation/mapping-apis-and-services/security/tutorials/register-your-application/
            "lgAdHkYZYlwwfAhC",
            // The URL that the OAuth server will redirect to after the user has authenticated.
            "authenticate-with-oauth://auth",
        )
    }

    // Create a map from a portal item.
    val arcGISMap = ArcGISMap(
        PortalItem(
            // Setting the portal connection to "Authenticated" will issue an authentication
            // challenge.
            portal = Portal(
                url = "https://www.arcgis.com",
                connection = Portal.Connection.Authenticated
            ),
            itemId = "e5039444ef3c48b8a8fdc9227f9be7c1"
        )
    )
}