OAuth2 PKCE Flow, will Portal for ArcGIS support this authentication flow?

MarkoReiprecht1 · ‎02-12-2020

Currently Portal for ArcGIS and ArcGIS Online support the "implicite flow" for browser based logins:

Browser-based Named User Login | ArcGIS for Developers

The implicit flow is some kind of "deprecated" and I found following recommandation:

"Public clients such as native apps and JavaScript apps should now use the authorization code flow with the PKCE extension instead."

See https://oauth.net/2/grant-types/implicit/ .

Can I expect that this more secure flow will be supported by ArcGIS Online and Portal for ArcGIS?

Raul_Jimenez · ‎10-25-2022

Reading the doc for the authorize endpoint I see this:

Note:
Support for PKCE was introduced in 2020 for ArcGIS Online and at version 10.8.1 for ArcGIS Enterprise.

Right know I'm working in this Postman collection to emulate the different flows (using ArcGIS Online / ArcGIS Platform products), but Enterprise should be pretty similar in terms of PKCE.

Hope this helps!

View solution in original post

pheede-esri · ‎06-09-2020

Hi Marko,

ArcGIS Online added support for the Authorization Code flow with PKCE in the March 2020 update. ArcGIS Enterprise 10.8.1 will have the same support when released later this year.

Sincerely,

Philip

Drugis · ‎05-10-2022

Hi Philip

I failed to find PKCE documentation for the latest version of ArcGIS Enterprise.
Has this functionality been released?

Kind regards,
Sigurd

Raul_Jimenez · ‎10-25-2022

Reading the doc for the authorize endpoint I see this:

Note:
Support for PKCE was introduced in 2020 for ArcGIS Online and at version 10.8.1 for ArcGIS Enterprise.

Right know I'm working in this Postman collection to emulate the different flows (using ArcGIS Online / ArcGIS Platform products), but Enterprise should be pretty similar in terms of PKCE.

Hope this helps!