ArcGIS Portal REST: Which token dispenser to use to access secure map services?

12873
10
01-26-2016 09:29 AM
DirkVandervoort
Occasional Contributor II

We are writing a REST application to access AGS map services. We cannot use the ArcGIS JSAPI - everything I do can only use REST verbs (GET, PUT, etc.)

  • We want to access secure map services that are hosted on-premise on ArcGIS Server

  • We have on-premise Portal for ArcGIS Server

  • ArcGIS Server security (User Store, Role Store, Authentication Tier, and Authentication Mode) uses Portal for ArcGIS

To get an Oauth2.0 token I can use this URL:

https://<DOMAIN>/portal/sharing/rest/oauth2/token?grant_type=client_credentials&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>

Which returns a JSON payload like this:

{"access_token":"fCsz6hbXOsnjfIt1j30HAofVMcu3xEhnsgao2rq4_98xOAlf72oR17LYvj1gydJ7ZYnhzxzU4G-vBWNW_0thHQqSYt-HDuzVenv-v6nws1xkGu6XOI3peobXFobZo5QV6NcglZYF6YiFbMM8MPdE7A..","expires_in":7200}

To get an old-fashioned REST token I can use this URL:

https://<DOMAIN>/portal/sharing/generateToken?f=json&username=<USERNAME>&password=<PASSWORD>&clientip=requestip

Which returns a JSON payload like this:

{"token" : "KfD9KGedbu2lDrBc2umSVv08XDFCsU8HuKU0yBiFoFk375ahReXmcfVBbsGbGr1iotf003H319dG35T-7Q5-c933dWD0dfLPaflTu4QucS4jJ2Zcz0oIprFspEzk78tHky0IeuHswBudKDbebOQISQ..","expires" : 1453833598866,"ssl" : true}

I want to access:

https://<DOMAIN>arcgis/rest/services/SampleWorldCities/MapServer?f=json

In the pre-Portal for ArcGIS days of REST I could use a URL:

https://<DOMAIN>arcgis/rest/services/SampleWorldCities/MapServer?f=json&token=<SOMETOKEN>

where <SOMETOKEN> was obtained from the REST token dispenser.

HOWEVER: neither of the tokens I’ve obtained from the Portal dispenser nor the REST dispenser work. Both return:

{"error":{"code":498,"message":"Invalid Token","details":[]}}

THE QUESTIONS:

  • Which token dispenser do I use?

  • How do I string together a URL that uses a token I have obtain (from the correct source) then I can use to access our secured services?

TIA

10 Replies
JakeSkinner
Esri Esteemed Contributor

Hi Dirk,

How do you have security setup for Portal for ArcGIS?  Are you using built-in, or enterprise logins?

0 Kudos
DirkVandervoort
Occasional Contributor II

Currently built-in, but we are in the process of migrating to enterprise. The credentials I use are the built-ins - which are still enabled.

0 Kudos
JakeSkinner
Esri Esteemed Contributor

I was able to get this working by generating the token using the following URL:

https://<server>/portal/sharing/generateToken

The environment I'm working in is the following:

ArcGIS Server 10.3.1

Portal for ArcGIS 10.3.1

    -Built-in security

    -Federated Server

Below is the python snippet I used to query a service:

import urllib, urllib2, json

username = "portadmin"
password = "portadmin"

tokenURL = 'https://<server>/portal/sharing/generateToken'
params = {'f': 'pjson', 'username': username, 'password': password, 'referer': 'https://<server>'}
req = urllib2.Request(tokenURL, urllib.urlencode(params))
response = urllib2.urlopen(req)
data = json.load(response)
token = data['token']


serviceURL = 'https://<server>/arcgis/rest/services/Airports/MapServer'
params = {'f': 'json', 'token': token}
req = urllib2.Request(serviceURL, urllib.urlencode(params))
response = urllib2.urlopen(req)
data = json.load(response)
print data
DirkVandervoort
Occasional Contributor II

That works for me - thanks Jake. In Javascript as well, when I remove the ClientIP parameter (which I had originally mistyped as "client" - without the IP, which was where the original error was originating) it works as well.

NEXT QUESTION: Our corporate directive is to use entirely ADFS security. When I plug in my enterprise U/P in the above script I get:

{u'error': {u'message': u'Unable to generate token.', u'code': 400, u'details': [u'Invalid username or password.']}}

That same enterprise U/P allows me to log in to Portal for ArcGIS.

Got any hints on how I can use my enterprise login to generate a token?

TIA

JakeSkinner
Esri Esteemed Contributor

Hi Dirk,

I received the same error when I enabled Portal to use enterprise logins.  This may be a bug.  I would recommend following up with Tech Support.

0 Kudos
ScottLarkin
New Contributor III

I to am trying to manage ArcGIS Server services via the REST API using python and also having this issue with a federated environment at version 10.6.1.

 

Do we know if someone has found a resolution to this or still being looked into?

0 Kudos
AkakpoAgbago
Esri Contributor

I am having exactly this same issue with ArcGIS Server 10.4 federated with a Portal for ArcGIS and using its SAML enterprise login to authenticate users.

I can only generate tokens using the Primary Admin Account. Only this works. Any other user fails although those users can login fine directly to the Server or Portal and use their map services without problem.

Generate a token is the problem with any other user than the primary admin account via

https://[server FQDN]/arcgis/admin/generateToken

or

https://[portal FQDN]/arcgis/sharing/generateToken

Is this a bug? and what's the solution or workaround?

Help please. Thanks.screen.png

SzymonPiskula1
New Contributor III

Has anyone been able to programatically generate tokens for SAML users? I am facing similar issues.

0 Kudos
RobertDriessen2
New Contributor III

This is a problem for me as well.

1. Enterprise accounts (ADFS in this case) can't be used to generate a token

2. ArcGIS accounts can be used to generate token

Is there any way to generate a token using an Enterprise account?