Types of authentication

ArcGIS supports secure access to ArcGIS services and portal items to ensure that only valid, authorized users and services can access protected information. This SDK supports various authentication methods. The type of authentication you use depends on the security and access requirements of your app. The available authentication methods are described below. See the Choose a type of authentication section for help determining which type of authentication is best suited to your use case.

There are three types of authentication that you can use to get an access token:

• API key authentication: grants a long-lived access token to authenticate requests to ArcGIS services and secure portal items. For more information see the Introduction to API key authentication. To obtain an API key access token, go to the Create an API key tutorial using your ArcGIS account. Here you can configure the API key privileges to authorize access to different services and portal items.

• User authentication: a collection of authentication workflows that connect your app to a user's ArcGIS account.

  • OAuth 2.0: manage ArcGIS authentication and grant a short-lived access token generated via OAuth 2.0. This gives your application permission to access ArcGIS secured services authorized to an existing ArcGIS user's account. For more information see the OAuthUserCredential.
  • Generate token: manages ArcGIS authentication and grants a short-lived access token generated via Esri's proprietary token-based authentication mechanism. This gives your application permission to access ArcGIS secured services authorized to an existing ArcGIS user's account. For more information see the TokenCredential and PregeneratedTokenCredential.
  • Network credential: manage network authentication (also known as web-tier authentication) for ArcGIS Enterprise. This gives your application permission to access network secured services authorized to your web-tier's identity store user accounts. For more information see the PasswordCredential, CertificateCredential.
    
    

• App authentication: uses the registered application's credentials to access location services on ArcGIS. It manages ArcGIS authentication and grants a short-lived access token generated via OAuth 2.0 using the Application item's Client ID and Client Secret outside of the context of a user. For more information see the OAuthApplicationCredential topic.

API key authentication

An API key can grant your public-facing application access to specific ArcGIS services and portal items.

Use API key authentication when you want to:

• Quickly write applications that consume ArcGIS services.
• Provide access to services without requiring users to sign in with an ArcGIS account.

To authorize your app to access secured resources, obtain an API key access token using the Create an API key tutorial. Set the API key access token on the ArcGISRuntimeEnvironment.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
    ArcGISRuntimeEnvironment::setApiKey("YOUR_ACCESS_TOKEN");

You can view the app's usage telemetry on the respective ArcGIS Location Platform or ArcGIS Online account. You can also set the API key access token on any class that implements ApiKeyResource. This overrides any access token you have set on the ArcGISRuntimeEnvironment and enables more granular usage telemetry.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
    // Create a new ArcGIS basemap and apply an access token.
    Basemap* basemap = new Basemap(BasemapStyle::ArcGISTopographic, this);
    basemap->setApiKey("YOUR_ACCESS_TOKEN");

    // Create a new map with the basemap.
    m_map->setBasemap(basemap);

Classes that implement ApiKeyResource include:

• ArcGISSceneLayer
• ArcGISTiledLayer
• ArcGISVectorTiledLayer
• Basemap
• BasemapStylesService
• ClosestFacilityTask
• ExportTileCacheTask
• ExportVectorTilesTask
• GeodatabaseSyncTask
• LocatorTask
• RouteTask
• ServiceAreaTask
• ServiceFeatureTable

User authentication

User authentication is a set of authentication workflows that allow users with an ArcGIS account to sign into an application and access ArcGIS content, services, and resources. The typical authentication protocol used is OAuth2.0. When a user signs into an application with their ArcGIS account, an access token is generated that authorizes the application to access services and content on their behalf. The resources and functionality available depend on the user type, roles, and privileges of the user's ArcGIS account.

Services that your app accesses with user authentication are billed to the authenticated user's ArcGIS account and its associated ArcGIS subscription. If your application will access your users' secure content in ArcGIS or if you plan to distribute your application through ArcGIS Marketplace, you must use user authentication.

Implement user authentication when you want to:

• Ensure users are signed in and authenticated with their own ArcGIS account.
• Use your app user's credits to pay for their private data, content, or service transactions.
• Limit the length of time users can be signed in to your app with a temporary token.
• Distribute your app through ArcGIS Marketplace.

App authentication

App authentication grants a short-lived access token, generated via OAuth 2.0, authorizing your application to access ArcGIS location services, such as basemap layers, search, and routing.

Use app authentication when you want to:

• Access location services with a more secure process and a short-lived token.
• Provide access to services without requiring users to have an ArcGIS account.

Choose a type of authentication

The following considerations can help determine which type of authentication to implement:

• Access to resources—Your app can access ArcGIS services and portal items using API key authentication, User authentication, or App authentication.

• User experience—If you don't want to make users log in, your app can access ArcGIS services using API key authentication or App authentication. In this case, users will not need to have an ArcGIS account in order to use your app.

• Usage charges—If you want service usage to be charged to the user's account, your app must request that the user log in using User authentication. When using API key authentication or App authentication, all access to services from your app will be charged to your ArcGIS account.

You might also need to consider the level of security required for your app, how your app will be distributed, and your available ArcGIS products and accounts.