OAuth app authentication

PartyPelican · ‎09-17-2024

Does anyone know how to use the token from this endpoint?

https://developers.arcgis.com/rest/users-groups-and-items/token/

I was trying trying to implement app authentication but even with a token, trying to access secured items on ArcGIS Online wasn't possible. I kept getting an "invalid token" error. I have a server making the request to the OAuth token endpoint, then the server sends the token to my client side application and I used the IdentityManager.registerToken() and pass in the token but failed to gain access.

https://developers.arcgis.com/documentation/security-and-authentication/app-authentication/

GISPolice · ‎03-12-2025

I know I'm a few months late to see this one, although this doesn't handle token management through the backend (all ended through the front end via implicit flow) for anyone having trouble with token generation this may be a useful starting point.

This method is good for those who don't have a backend but comes with its security risks due to the exposed access token (stored on browser's local storage), and the token cannot be refreshed so the user needs to log back in after 30 minutes to generate a new token (the script below, creates a popup notifying the user their token has expired).

https://jsfiddle.net/yu7gLs9j/

This is the callback.html used (which also needs to be stated on the application on Arcgis Online)
https://jsfiddle.net/ce67oLmp/

John-Foster · ‎03-17-2025

Regarding security best practice, we do not recommend storing client id/client secret in a client app. https://developers.arcgis.com/documentation/security-and-authentication/security-best-practices/#use...

Here is an example implementation of application authentication using Node.js, the procedure may help you figure this out https://github.com/EsriDevEvents/2025-DTS-Security-and-auth-for-custom-apps/tree/main/app-authentica... the Dev & Tech Summit video should post in a few weeks.

--jf