From 98638cd9be018ad1fe2e666c04cf7168970db8df Mon Sep 17 00:00:00 2001 From: Tarun Kukreja Date: Fri, 6 Mar 2026 14:57:33 -0800 Subject: [PATCH 1/4] App Authentication added --- ...ith-different-authentication-schemes.ipynb | 85 ++++++++++++++++++- 1 file changed, 84 insertions(+), 1 deletion(-) diff --git a/guide/03-the-gis/working-with-different-authentication-schemes.ipynb b/guide/03-the-gis/working-with-different-authentication-schemes.ipynb index 25768c629d..cf559766a1 100644 --- a/guide/03-the-gis/working-with-different-authentication-schemes.ipynb +++ b/guide/03-the-gis/working-with-different-authentication-schemes.ipynb @@ -453,6 +453,89 @@ "The recommended suggestion for non-interactive login scripts is to use the built-in identity provider instead of SAML." ] }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## App Authentication using API Key Credentials" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "This workflow demonstrates how to use an Administrative connection to register a new Application, define its security boundaries (Privileges, Expiration, and Referers), and subsequently initialize a restricted GIS session using the generated `client_id`" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "##### 1. Establish Administrative Connection\n", + "Before creating credentials, you must connect to your Portal as an Administrator. This \"Master Connection\" is used to manage the lifecycle of your application identities." + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "from arcgis.gis import GIS\n", + "\n", + "# Initialize the Admin session using a local profile\n", + "gis_admin = GIS(url=\"your_organization_url\", username=\"your_admin_username\", password=\"your_admin_ password\")" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "##### 2. Creating the App Identity\n", + "\n", + "The `developer_credentials.create` is a method of the `DeveloperCredentialManager` class that registers the app. Here, we define the \"Security Perimeter\" of the application before it ever logs in." + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "from arcgis.gis.admin._stokenmgr import TokenPrivilege\n", + "import datetime as dt\n", + "\n", + "# Define the restricted sandbox\n", + "apiKeyCredentials = gis_admin.admin.developer_credentials.create(\n", + " title=\"API Key Credentials\",\n", + " privileges=[TokenPrivilege.PORTAL_USER_VIEWORGUSERS], # Restricted Scope\n", + " expiration=dt.datetime(2026, 3, 8, 11, 29, 22), # Time-limited\n", + " referers=[\"https://example.com\"] # Domain-locked\n", + ")\n", + "\n", + "# Retrieve the Client ID (The App's Username)\n", + "client_id = apiKeyCredentials.app_info['client_id']" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "##### 3. Initializing the App Session (App Authentication)\n", + "\n", + "Now, we initialize a new GIS object using the client_id. This session is App-authenticated. It does not represent the Admin; it represents the \"API Key Credentials\" app itself." + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "# Authenticate as the App\n", + "gis_app = GIS(url=\"https://arcgis.com\", client_id=client_id)" + ] + }, { "cell_type": "markdown", "metadata": {}, @@ -655,7 +738,7 @@ "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", - "version": "3.13.5" + "version": "3.13.7" }, "toc": { "base_numbering": 1, From 1af7a2318c99ef0f34c76208732ed1b6bd2f4129 Mon Sep 17 00:00:00 2001 From: Tarun Kukreja Date: Fri, 6 Mar 2026 15:17:51 -0800 Subject: [PATCH 2/4] updated with client_secret parameter --- .../working-with-different-authentication-schemes.ipynb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/guide/03-the-gis/working-with-different-authentication-schemes.ipynb b/guide/03-the-gis/working-with-different-authentication-schemes.ipynb index cf559766a1..6b07260513 100644 --- a/guide/03-the-gis/working-with-different-authentication-schemes.ipynb +++ b/guide/03-the-gis/working-with-different-authentication-schemes.ipynb @@ -513,8 +513,9 @@ " referers=[\"https://example.com\"] # Domain-locked\n", ")\n", "\n", - "# Retrieve the Client ID (The App's Username)\n", - "client_id = apiKeyCredentials.app_info['client_id']" + "# Retrieve the Client ID (The App's Username) and the Client Secret (The App's Password)\n", + "client_id = apiKeyCredentials.app_info['client_id']\n", + "client_secret=apiKeyCredentials.app_info['client_secret']" ] }, { @@ -533,7 +534,7 @@ "outputs": [], "source": [ "# Authenticate as the App\n", - "gis_app = GIS(url=\"https://arcgis.com\", client_id=client_id)" + "gis_app = GIS(url=\"https://arcgis.com\", client_id=client_id, client_secret=client_secret)" ] }, { From b46eb6aa961b59bc38997f5b2407f2ececd82a69 Mon Sep 17 00:00:00 2001 From: Tarun Kukreja Date: Fri, 6 Mar 2026 15:34:14 -0800 Subject: [PATCH 3/4] removed client_secret from authentication --- ...g-with-different-authentication-schemes.ipynb | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/guide/03-the-gis/working-with-different-authentication-schemes.ipynb b/guide/03-the-gis/working-with-different-authentication-schemes.ipynb index 6b07260513..af9a28220b 100644 --- a/guide/03-the-gis/working-with-different-authentication-schemes.ipynb +++ b/guide/03-the-gis/working-with-different-authentication-schemes.ipynb @@ -483,7 +483,7 @@ "source": [ "from arcgis.gis import GIS\n", "\n", - "# Initialize the Admin session using a local profile\n", + "# Initialize the Admin session\n", "gis_admin = GIS(url=\"your_organization_url\", username=\"your_admin_username\", password=\"your_admin_ password\")" ] }, @@ -514,8 +514,7 @@ ")\n", "\n", "# Retrieve the Client ID (The App's Username) and the Client Secret (The App's Password)\n", - "client_id = apiKeyCredentials.app_info['client_id']\n", - "client_secret=apiKeyCredentials.app_info['client_secret']" + "client_id = apiKeyCredentials.app_info['client_id']" ] }, { @@ -524,7 +523,7 @@ "source": [ "##### 3. Initializing the App Session (App Authentication)\n", "\n", - "Now, we initialize a new GIS object using the client_id. This session is App-authenticated. It does not represent the Admin; it represents the \"API Key Credentials\" app itself." + "Now, we initialize a new GIS object using the `client_id`. This session is App-authenticated. It does not represent the Admin; it represents the \"API Key Credentials\" app itself." ] }, { @@ -534,7 +533,14 @@ "outputs": [], "source": [ "# Authenticate as the App\n", - "gis_app = GIS(url=\"https://arcgis.com\", client_id=client_id, client_secret=client_secret)" + "gis_app = GIS(url=\"https://arcgis.com\", client_id=client_id)" + ] + }, + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "After running the above cell, it will ask for a token. A browser window will be open up, copy the token from the browser" ] }, { From b074e037c958bc20e03f862896dfb955b48470d3 Mon Sep 17 00:00:00 2001 From: Tarun Kukreja Date: Mon, 9 Mar 2026 13:39:02 -0700 Subject: [PATCH 4/4] updated TokenPrivilege import statement --- .../working-with-different-authentication-schemes.ipynb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/guide/03-the-gis/working-with-different-authentication-schemes.ipynb b/guide/03-the-gis/working-with-different-authentication-schemes.ipynb index af9a28220b..4b623a7462 100644 --- a/guide/03-the-gis/working-with-different-authentication-schemes.ipynb +++ b/guide/03-the-gis/working-with-different-authentication-schemes.ipynb @@ -502,7 +502,7 @@ "metadata": {}, "outputs": [], "source": [ - "from arcgis.gis.admin._stokenmgr import TokenPrivilege\n", + "from arcgis.gis.admin import TokenPrivilege\n", "import datetime as dt\n", "\n", "# Define the restricted sandbox\n", @@ -745,7 +745,7 @@ "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", - "version": "3.13.7" + "version": "3.13.12" }, "toc": { "base_numbering": 1,