AnsweredAssumed Answered

How can I use app authentication?

Question asked by Crittermap on May 30, 2018
Latest reply on Mar 5, 2020 by nsadowy

The documentation is incomplete on this subject. I'll explain what I mean.


Access the ArcGIS platform—ArcGIS Runtime SDK for Android | ArcGIS for Developers 


"Apps that target users who are unknown to the ArcGIS platform can authenticate with the platform on behalf of the user by using an app login."


Sounds good.


So I go here.

Implementing App Login | ArcGIS for Developers 


It shows how I can register an app and get a client_id and client_secret.


Now what do I do with them?


"Once you have registered your application and obtained a client_id and client_secret, you implement app login to obtain a token. The path to follow from here will depend on which SDK you choose to implement your app with."


"If you are implementing your app using one of the ArcGIS Runtime SDKs then continue with the authentication guide for your platform."


Sounds good, I'll pick Android.


That takes me back here to where I started:

Access the ArcGIS platform—ArcGIS Runtime SDK for Android | ArcGIS for Developers 


So I keep reading.:


"The ArcGIS Runtime SDK provides full support for access to secured ArcGIS Server, ArcGIS Online, or ArcGIS Enterprise resources using the following authorization methods:

  • ArcGIS Tokens: proprietary token-based authentication mechanism.
  • OAuth 2.0: secure delegated access to server resources.
  • Network credential: HTTP secured service / Integrated Windows Authentication (IWA).
  • Certificate: Public Key Infrastructure (PKI)."


So which of these authorization methods uses a client_id and client_secret?


"The types of Authentication Challenge include the following:

  • Username / password: Challenges needing username / password authentication.
  • OAuth: Challenges needing an OAuth authorization code.
  • Client Certificate: Challenges needing a client certificate to be provided.
  • Secure Sockets Layer (SSL) Handshake - Challenges needing a response to certain SslError errors, usually an untrusted host due to a self-signed certificate."


I still don't see anything about using a client_id and client_secret.

Are they a username/password?


Maybe this is all obvious to the rest of you, but not to me.


It would help to have a COMPLETE EXAMPLE.