UserSession

Client ID being used for authentication if provided in the constructor.

The currently authenticated user's password if provided in the constructor.

The current portal the user is authenticated with.

The authentication provider to use.

A valid redirect URI for this application if provided in the constructor.

Duration of new OAuth 2.0 refresh token validity (in minutes).

An unfederated ArcGIS Server instance known to recognize credentials supplied manually.

{
  server: "https://sampleserver6.arcgisonline.com/arcgis",
  token: "SOSlV3v..",
  tokenExpires: new Date(1545415669763)
}

This value is set to true automatically if the ArcGIS Organization requires that requests be made over https.

Determines how long new tokens requested are valid.

The currently authenticated user if provided in the constructor.

The current token to ArcGIS Online or ArcGIS Enterprise.

The expiration time of the current refreshToken.

The current ArcGIS Online or ArcGIS Enterprise token.

The expiration time of the current token.

Deprecated, use federatedServers instead.

Begins a new server-based OAuth 2.0 sign in. This will redirect the user to the ArcGIS Online or ArcGIS Enterprise authorization page.

Begins a new browser-based OAuth 2.0 sign in. If options.popup is true the authentication window will open in a new tab/window and the function will return Promise<UserSession>. Otherwise, the user will be redirected to the authorization page in their current tab/window and the function will return undefined.

Completes a browser-based OAuth 2.0 sign in. If options.popup is true the user will be returned to the previous window. Otherwise a new UserSession will be returned. You must pass the same values for options.popup and options.portal as you used in beginOAuth2().

Completes the server-based OAuth 2.0 sign in process by exchanging the authorizationCode for a access_token.

Translates authentication from the format used in the ArcGIS API for JavaScript.

UserSession.fromCredential({
  userId: "jsmith",
  token: "secret"
});

Request session information from the parent application

When an application is embedded into another application via an IFrame, the embedded app can use window.postMessage to request credentials from the host application. This function wraps that behavior.

The ArcGIS API for Javascript has this built into the Identity Manager as of the 4.19 release.

Note: The parent application will not respond if the embedded app's origin is not:

• the same origin as the parent or *.arcgis.com (JSAPI)
• in the list of valid child origins (REST-JS)

For a "Host" app that has embedded other platform apps via iframes, when the host needs to transition routes, it should call UserSession.disablePostMessageAuth() to remove the event listener and prevent memory leaks

For a "Host" app that embeds other platform apps via iframes, after authenticating the user and creating a UserSession, the app can then enable "post message" style authentication by calling this method.

Internally this adds an event listener on window for the message event

Returns the proper [credentials] option for fetch for a given domain. See trusted server. Used internally by underlying request methods to add support for specific security considerations.

Returns information about the currently logged in user's portal. Subsequent calls will not result in additional web traffic.

session.getPortal()
  .then(response => {
    console.log(portal.name); // "City of ..."
  })

Determines the root of the ArcGIS Server or Portal for a given URL.

Gets an appropriate token for the given URL. If portal is ArcGIS Online and the request is to an ArcGIS Online domain token will be used. If the request is to the current portal the current token will also be used. However if the request is to an unknown server we will validate the server with a request to our current portal.

Returns information about the currently logged in user. Subsequent calls will not result in additional web traffic.

session.getUser()
  .then(response => {
    console.log(response.role); // "org_admin"
  })

Returns the username for the currently logged in user. Subsequent calls will not result in additional web traffic. This is also used internally when a username is required for some requests but is not present in the options.

session.getUsername() .then(response => { console.log(response); // "casey_jones" })

Manually refreshes the current token and tokenExpires.

Returns authentication in a format useable in the ArcGIS API for JavaScript.

esriId.registerToken(session.toCredential());

Get application access information for the current user see validateAppAccess function for details