What is oAuth 2.0?
A standard for conveying authorization decisions.
I {username} authorize {app name} to do {whatever}
OAuth 2.0 is not an authentication protocol
OAuth 2.0 !== authentication protocol
OAuth 2.0 != authentication protocol
OAuth 2.0 is used inside of authentication protocols
OAuth 2.0 doesn't know about your users identities, it only care about authorization
OAuth 2.0 === Authorization
ArcGIS Portal/Online === Identity && Access
A Complete System
oAuth 2.0 + ArcGIS Portal/Online
User Logins vs App Authentication
User Logins
- User authorizes application
- Application can act on users behalf
- Usage if any is billed to that users organization
User User Logins When...
- You have to work with private content
- you need to create/edit content
- want usage to be billed to your apps users
Application Authentication
- App exchanges credentials for token
- Uses token to access premium services
- Often implimented as a proxy
Use Application Authentication When…
- You only need to work with public and premium content
- You dont want your users to sign in
Whats Changed?
- ArcGIS Portal 10.3 now supports oAuth 2.0
- 1st class oAuth 2.0 support in the JS API
- More support for OAuth in the ArcGIS Runtimes
- New ways to access premium services
- Better Authentication Docs
Demo Time!
- Browser-based with JS API
- Server-based with JS API + Hapi
- App Proxies for Premium Services
Demos on GitHub
