Types of credentials

You can access resources secured with user authentication, app authentication, or network authentication using the available credential types.

ArcGIS credentials are used to access resources secured by ArcGIS authentication methods, such as OAuth, Identity-Aware Proxy (IAP), and ArcGIS token. For more information, see ArcGIS credentials.
Network credentials are used to access resources secured by network authentication methods, such as Integrated Windows Authentication (IWA) and Client Certificate (PKI). For more information, see Network credentials.

ArcGIS credentials

You can access secured resources with user authentication or app authentication using any of the following credential types:

OAuthUserCredential - A credential object used to access OAuth token-secured ArcGIS resources with a specific OAuthUserConfiguration.
IAPCredential - A credential object used to access ArcGIS Enterprise resources that are secured behind an Identity-Aware Proxy (IAP). You can create the credential using an IAPConfiguration.
OAuthApplicationCredential - A credential object used to access OAuth token-secured ArcGIS resources using the application's credentials.
TokenCredential - A credential object used to access token-secured ArcGIS resources.
PregeneratedTokenCredential - A credential object used to access token-secured ArcGIS resources using a token that is generated outside of your application.

If you know the services domain/server context, you can create an ArcGIS credential, independent of loading the specific resource and store it in the ArcGISCredentialStore.

OAuthUserCredential

To create an OAuthUserCredential, provide an OAuthUserConfiguration with a valid portal URL, client ID, and redirect URL. This will present the OAuth sign in page for the user to enter their username and password. Once the OAuthUserCredential is created, you can access token information from the asynchronous tokenInfo property.

Use dark colors for code blocksCopy
        let configuration = OAuthUserConfiguration(
            portalURL: URL(string: "portal-string")!,
            clientID: "client-ID",
            redirectURL: URL(string: "redirect-string")!
        )
        let credential = try await OAuthUserCredential.credential(for: configuration)
        let tokenInfo = try await credential.tokenInfo

IAPCredential

The IAPCredential supports access to an ArcGIS Enterprise portal and its services that are protected behind an Identity-Aware Proxy (IAP). ArcGIS Maps SDK for Swift currently supports the Microsort Entra Application Proxy via the Microsoft Identity Platform. To initiate an IAP authorization workflow, create an IAPConfiguration to store your application's registration details and use it to create an IAPCredential.

Use the following steps to create an IAPCredential:

To establish trust between your application and the IAP, your administrator registers your application with the Microsoft Identity Platform. Following this, you can review the client ID, tenant ID, redirect url, and so on.

Create an IAPConfiguration using these application registration details. Depending on your workflow, you can initialize an IAPConfiguration by either providing the details in a JSON file or supplying them directly in the application's code.

To initialize the IAPConfiguration with a JSON file, create a Microsort Entra Application Proxy JSON file containing the following key/value pairs:
Use dark colors for code blocksCopy
```
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
 "authorize_url" : "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize",
 "token_url" : "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token",
 "logout_url" : "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/logout",
 "client_id" : "<client_id>",
 "redirect_url" : "<redirect_url>",
 "scope" : [
     "<client_id>/.default",
     "offline_access",
     "openid",
     "profile"
 ],
 "hosts_behind_proxy" : ["*.domain.com"],
 "authorization_prompt_type" : "<empty string, none, login, consent, or select_account>"
}
```
The keys are defined as follows:
- authorize_url - The authorization endpoint of the Identity-Aware Proxy (IAP) portal.
- token_url - The token endpoint of the Identity-Aware Proxy (IAP) portal.
- logout_url - The logout endpoint of the Identity-Aware Proxy (IAP) portal.
- client_id - A unique identifier associated with an application which is registered with the Identity-Aware Proxy (IAP) portal.
- redirect_url - The URL that the Identity-Aware Proxy (IAP) login and logout pages will redirect to when authentication completes. The scheme of this URL must be registered as a custom URL scheme in the application.
- scope - The scope of user's account.
- hosts_behind_proxy - The hosts to be accessed behind the Identity-Aware Proxy (IAP).
- authorization_prompt_type - The type of user interaction required for authentication and consent while signing in to the Identity-Aware Proxy (IAP).

Create the IAPConfiguration using the IAPConfiguration.configuration(from:) initializer.

Use dark colors for code blocksCopy
    static var iapConfigurationFromJSON: IAPConfiguration {
        get async throws {
            try await .configuration(
                from: URL(filePath: "/path/to/IAP configuration/file.json")!
            )
        }
    }

If the JSON file is missing any required properties, this IAPConfiguration initializer will fail.

Alternatively, create the IAPConfiguration by specifying each parameter in the IAPConfiguration.configuration initializer.

Use dark colors for code blocksCopy
    static var iapConfiguration: IAPConfiguration {
        try! .configuration(
            authorizeURL: URL(string: "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize")!,
            tokenURL: URL(string: "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token")!,
            logoutURL: URL(string: "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/logout")!,
            clientID: "<client_id>",
            redirectURL: URL(string: "<redirect_url>")!,
            scopes: ["<client_id>/.default",
                     "offline_access",
                     "openid",
                     "profile"],
            hostsBehindProxy: ["*.domain.com"])
    }

Best Practice: To avoid storing secure information in you application's code, the recommended approach is to use the IAPConfiguration.configuration(from:) initializer with a JSON file on disk to create a IAPConfiguration.

To ensure that the IAPConfiguration can be used when an authentication challenge is issued for IAP credential, call IAPConfiguration.canBeUsed(for:) using a URL specified in the configuration’s hosts behind proxy.

Use dark colors for code blocksCopy
        if iapConfiguration.canBeUsed(for: URL(string: "<ArcGIS Enterprise resource URL of host specified in hostsBehindProxy>")) {
            print("The IAP configuration supports access to the Identity-Aware Proxy.")
        } else {
            print("The IAP configuration can not be used for the given url. Review the configuration parameters.")
        }

Create the IAPCredential using the IAPConfiguration. This will present the Microsoft sign-in page for the user to enter their username and password. Once the IAPCredential is created, it is added to the ArcGISCredentialStore and you can access its tokenInfo property.

Use dark colors for code blocksCopy
      let iapCredential = try await IAPCredential.credential(for: iapConfiguration)

      let tokenInfo = try await iapCredential.tokenInfo

During application sign-out, you must invalidate the credential by calling IAPCredential.invalidate(). This will present a Microsoft page that allows the user to sign-out. Note that after a successful sign-out, the user must click the Cancel button to return to your application.

Use dark colors for code blocksCopy
        do {
            try await iapCredential.invalidate()
        } catch {
            print("IAP credential is not invalidated.")
        }

TokenCredential

To create a TokenCredential, provide a secured service URL, valid username, and password. Optionally, you can specify token expiration minutes. Once a TokenCredential is created, you can access token information from the asynchronous tokenInfo property.

Use dark colors for code blocksCopy
        let credential = try await TokenCredential.credential(
            for: URL(string: "portal-string")!,
            username: "username",
            password: "password",
            tokenExpirationMinutes: 5
        )
        let tokenInfo = try await credential.tokenInfo

PregeneratedTokenCredential

To create a PregeneratedTokenCredential, provide a previously generated short or long-lived access token. Use this credential when the access token is created using the generateToken REST endpoint directly. You must provide the referer if one was used while generating the token.

Use dark colors for code blocksCopy
        let tokenInfo = TokenInfo(
            accessToken: "<access-token",
            expirationDate: date,
            isSSLRequired: true
        )
        let credential = PregeneratedTokenCredential(
            url: URL(string: "service-string")!,
            tokenInfo: tokenInfo!,
            referer: "referer"
        )

OAuthApplicationCredential

To create an OAuthApplicationCredential, provide a valid portal URL, a client ID, and a client secret. Optionally, you can specify the token expiration in minutes. Once the OAuthApplicationCredential is created, you can access the token information from the asynchronous tokenInfo property.

Use dark colors for code blocksCopy
        let credential = try await OAuthApplicationCredential.credential(
            for: URL(string: "portal-string")!,
            clientID: "client-ID",
            clientSecret: "client-secret",
            tokenExpirationMinutes: 5
        )
        let tokenInfo = try await credential.tokenInfo

Network credentials

You can access resources secured by network authentication using the following credential types.

PasswordCredential - A credential object that is used to authenticate HTTP Basic/Digest or Integrated Windows Authentication (IWA) secured resources.
CertificateCredential - A credential object that is used to authenticate Client Certificate (PKI) secured resources.
ServerTrust - A network credential that specifies that a server should be trusted.

PasswordCredential

The PasswordCredential is used to authenticate HTTP Basic/Digest, Integrated Windows Authentication (IWA) secured resources. To create a PasswordCredential, use a static function of NetworkCredential with username and a password.

Use dark colors for code blocksCopy
        // Password credential for HTTP Basic/Digest, Integrated Windows Authentication (IWA)
        let passwordCredential = NetworkCredential.password(username: "my-username", password: "my-password")

CertificateCredential

A CertificateCredential is used to authenticate Public Key Infrastructure (PKI) secured resources. To create a CertificateCredential, use a static function of NetworkCredential with the URL for a .p12 or .pfx extension certificate file on disk and a password.

Use dark colors for code blocksCopy
        let credential = try NetworkCredential.certificate(at: URL(fileURLWithPath: "file URL to .p12 or .pfx file"), password: "password")

ServerTrust

To trust a development server that uses a self-signed certificate (untrusted host), create a NetworkCredential and specify that the server should be trusted.

Use dark colors for code blocksCopy
        // Server trust credential for host with self-signed certificate
        let credential = NetworkCredential.serverTrust