Types of credentials

You can access resources secured with user authentication, app authentication, or network authentication using the available credential types.

ArcGIS credentials are used to access resources secured by ArcGIS authentication methods, such as OAuth, Identity-Aware Proxy (IAP), and ArcGIS token. For more information, see ArcGIS credentials.
Network credentials are used to access resources secured by network authentication methods, such as Integrated Windows Authentication (IWA) and Client Certificate (PKI). For more information, see Network credentials.

ArcGIS credentials

You can access secure resources with user authentication or app authentication using any of the following credential types:

OAuthUserCredential - A credential object used to access OAuth token-secured ArcGIS resources with a specific OAuthUserConfiguration.
OAuthApplicationCredential - A credential object used to access OAuth token-secured ArcGIS resources using the application's credentials.
TokenCredential - A credential object used to access token-secured ArcGIS resources.
PregeneratedTokenCredential - A credential object used to access token-secured ArcGIS resources using a token that is generated outside of your application.

If you know the service's domain/server context, you can create an ArcGIS credential independent of loading the specific resource and store it in the ArcGISCredentialStore.

OAuthUserCredential

To create an OAuthUserCredential, provide an OAuthUserConfiguration with a valid portal URL, client ID, and redirect URL. You must present a prompt, in a browser supported by the device, for the user to enter their username and password. The response from the browser should be handled within your activity or the fragment that launched the browser prompt. Once the OAuthUserCredential is created, you will be able to access the token information from the asynchronous tokenInfo method.

Use dark colors for code blocksCopy
void SecurityAndAuthentication::oauthUserCredentials(const QUrl& portalUrl, const QString& clientId,
                                                     const QString& redirectUri)
{
    // Create a new OAuth user configuration using the supplied: portalUrl, clientId, redirectUri,
    // and parent object.
    OAuthUserConfiguration* oauthUserConfiguration = new OAuthUserConfiguration(
                portalUrl, clientId, redirectUri, this);

    // Get the OAuth user credential object from the static OAuth credential's create async method
    // (uses QFuture).
    OAuthUserCredential::createAsync(oauthUserConfiguration, this).then(
                this, [this](OAuthUserCredential* oauthUserCredential)
    {
        // Get the OAuth user token info object from the OAuth credential's token info async method
        // (uses QFuture).
        oauthUserCredential->tokenInfoAsync(this).then(
                    this, [](Authentication::OAuthUserTokenInfo* oauthUserTokenInfo)
        {
            // Access the authentication OAuth user token info details here...
            qDebug() << oauthUserTokenInfo->expirationDate();
        });
    });
}

TokenCredential

To create a TokenCredential, provide a secured service URL, valid username, and password. Optionally, you can specify token expiration minutes. Once a TokenCredential is created, you will be able to access token information from the asynchronous tokenInfo property.

Use dark colors for code blocksCopy
void SecurityAndAuthentication::tokenCredentials(const QUrl& url, const QString& username,
                                                 const QString& password,
                                                 std::optional<int> tokenExpirationInterval)
{
    // Get the token credential object from the static token credential's create async method
    // (uses QFuture).
    TokenCredential::createAsync(url, username, password,tokenExpirationInterval, this).then(
      this, [this](TokenCredential* tokenCredential)
    {
        // Get the token info object from the token credential's token info async method (uses
        // QFuture).
        tokenCredential->tokenInfoAsync(this).then(
            this, [](Authentication::TokenInfo* tokenInfo)
        {
            // Access the authentication token info info details here...
            qDebug() << tokenInfo->expirationDate();
        });
    });
}

PregeneratedTokenCredential

To create a PregeneratedTokenCredential, provide a previously generated short or long-lived access token. Use this when the access token is created using the generateToken REST endpoint directly. You must provide the referer if one was used while generating the token.

Use dark colors for code blocksCopy
    // Create a new token info using the supplied: accessToken, expirationDate, isSslRequired,
    // and parent object.
    TokenInfo* tokenInfo = new TokenInfo(accessToken, expirationDate, isSslRequired, this);

    // Create a new pregenerated token credential using the supplied: url, token info, referer,
    // and parent object.
    PregeneratedTokenCredential* pregeneratedTokenCredential = new PregeneratedTokenCredential(
                url, tokenInfo, referer, this);

OAuthApplicationCredential

To create an OAuthApplicationCredential, provide a valid portal URL, a client ID, and a client secret. Optionally, you can specify the token expiration in minutes. Once the OAuthApplicationCredential is created, you will be able to access the token information from the asynchronous tokenInfo property.

Use dark colors for code blocksCopy
void SecurityAndAuthentication::oauthApplicationCredentials(const QUrl& portalUrl,
                                                            const QString& clientId,
                                                            const QString& clientSecret,
                                                            std::optional<int> tokenExpirationInterval)
{
    // Get the OAuth application credential object from the static OAuth application credential's
    // create async method (uses QFuture).
    OAuthApplicationCredential::createAsync(portalUrl, clientId, clientSecret, tokenExpirationInterval,
         this).then(this, [this](OAuthApplicationCredential* oauthApplicationCredential)
                {
                    // Get the OAuth application token info object from the OAuth application
                    // credential's token info async method (uses QFuture).
                    oauthApplicationCredential->tokenInfoAsync(this).then(
                                this, [](OAuthApplicationTokenInfo* oauthApplicationTokenInfo)
                    {
                        // Access the OAuth application token token info info details here...
                        qDebug() << oauthApplicationTokenInfo->expirationDate();
                    });
                });
}

Network credentials

You can access resources secured by network authentication using the following credential types:

PasswordCredential - A credential object that is used to authenticate HTTP Basic or Integrated Windows Authentication (IWA) secured resources.
CertificateCredential - A credential object that is used to authenticate Public Key Infrastructure (PKI) secured resources.
ServerTrust - A network credential that specifies that a server should be trusted.

PasswordCredential

The PasswordCredential is used to authenticate HTTP Basic/Digest or Integrated Windows Authentication (IWA) secured resources.

Use dark colors for code blocksCopy
    // Get a password credential from the network credential password method.
    PasswordCredential* passwordCredential =NetworkCredential::password(username, password, this);

CertificateCredential

CertificateCredential represents a digital client certificate used to access certificate secured resources. All digital certificates must be pre-installed in the device keychain. The CertificateCredential can be created using the alias of the chosen certificate.

Use dark colors for code blocksCopy
    // Get a certificate credential from the network credential certificate method.
    CertificateCredential* certificateCredential = NetworkCredential::certificate(path, password, this);

ServerTrust

To trust a development server that uses a self-signed certificate (untrusted host), create a NetworkCredential and specify that the server should be trusted.

The following pseudo-code shows the generic steps to override the NetworkAuthenticationChallengeHandler:

Use dark colors for code blocksCopy
// Helpful reference docs:
// https://developers.arcgis.com/qt/cpp/api-reference/esri-arcgisruntime-authentication-networkauthenticationchallengehandler.html#dtor.NetworkAuthenticationChallengeHandler
// https://developers.arcgis.com/qt/cpp/api-reference/esri-arcgisruntime-authentication-networkauthenticationchallenge.html#networkChallengeType
// https://developers.arcgis.com/qt/cpp/api-reference/esri-arcgisruntime-authentication-servertrustcredential.html

class ServerTrustChallengeHandler : public NetworkAuthenticationChallengeHandler
{
public:
  ServerTrustChallengeHandler(QObject* parent) :
    NetworkAuthenticationChallengeHandler(parent)
  {}

  ~ServerTrustChallengeHandler() override = default;
private:
  void handleNetworkAuthenticationChallenge(NetworkAuthenticationChallenge* challenge) override
  {
    // Check if this is a ServerTrust challenge.
    if (challenge->networkChallengeType() == NetworkChallengeType::ServerTrust)
    {
      ServerTrustCredential* credential = ServerTrustCredential::createWithChallenge(challenge, this);
      challenge->continueWithCredential(credential);
      challenge->deleteLater();
      return;
    }
  }
};