We are writing a REST application to access AGS map services. We cannot use the ArcGIS JSAPI - everything I do can only use REST verbs (GET, PUT, etc.)
• We want to access secure map services that are hosted on-premise on ArcGIS Server
• We have on-premise Portal for ArcGIS Server
• ArcGIS Server security (User Store, Role Store, Authentication Tier, and Authentication Mode) uses Portal for ArcGIS
To get an Oauth2.0 token I can use this URL:
https://<DOMAIN>/portal/sharing/rest/oauth2/token?grant_type=client_credentials&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>
Which returns a JSON payload like this:
{"access_token":"fCsz6hbXOsnjfIt1j30HAofVMcu3xEhnsgao2rq4_98xOAlf72oR17LYvj1gydJ7ZYnhzxzU4G-vBWNW_0thHQqSYt-HDuzVenv-v6nws1xkGu6XOI3peobXFobZo5QV6NcglZYF6YiFbMM8MPdE7A..","expires_in":7200}
To get an old-fashioned REST token I can use this URL:
https://<DOMAIN>/portal/sharing/generateToken?f=json&username=<USERNAME>&password=<PASSWORD>&clientip=requestip
Which returns a JSON payload like this:
{"token" : "KfD9KGedbu2lDrBc2umSVv08XDFCsU8HuKU0yBiFoFk375ahReXmcfVBbsGbGr1iotf003H319dG35T-7Q5-c933dWD0dfLPaflTu4QucS4jJ2Zcz0oIprFspEzk78tHky0IeuHswBudKDbebOQISQ..","expires" : 1453833598866,"ssl" : true}
I want to access:
https://<DOMAIN>arcgis/rest/services/SampleWorldCities/MapServer?f=json
In the pre-Portal for ArcGIS days of REST I could use a URL:
https://<DOMAIN>arcgis/rest/services/SampleWorldCities/MapServer?f=json&token=<SOMETOKEN>
where <SOMETOKEN> was obtained from the REST token dispenser.
HOWEVER: neither of the tokens I’ve obtained from the Portal dispenser nor the REST dispenser work. Both return:
{"error":{"code":498,"message":"Invalid Token","details":[]}}
THE QUESTIONS:
• Which token dispenser do I use?
• How do I string together a URL that uses a token I have obtain (from the correct source) then I can use to access our secured services?
TIA
Hi Dirk,
How do you have security setup for Portal for ArcGIS? Are you using built-in, or enterprise logins?
Currently built-in, but we are in the process of migrating to enterprise. The credentials I use are the built-ins - which are still enabled.
I was able to get this working by generating the token using the following URL:
https://<server>/portal/sharing/generateToken
The environment I'm working in is the following:
ArcGIS Server 10.3.1
Portal for ArcGIS 10.3.1
-Built-in security
-Federated Server
Below is the python snippet I used to query a service:
import urllib, urllib2, json username = "portadmin" password = "portadmin" tokenURL = 'https://<server>/portal/sharing/generateToken' params = {'f': 'pjson', 'username': username, 'password': password, 'referer': 'https://<server>'} req = urllib2.Request(tokenURL, urllib.urlencode(params)) response = urllib2.urlopen(req) data = json.load(response) token = data['token'] serviceURL = 'https://<server>/arcgis/rest/services/Airports/MapServer' params = {'f': 'json', 'token': token} req = urllib2.Request(serviceURL, urllib.urlencode(params)) response = urllib2.urlopen(req) data = json.load(response) print data
That works for me - thanks Jake. In Javascript as well, when I remove the ClientIP parameter (which I had originally mistyped as "client" - without the IP, which was where the original error was originating) it works as well.
NEXT QUESTION: Our corporate directive is to use entirely ADFS security. When I plug in my enterprise U/P in the above script I get:
{u'error': {u'message': u'Unable to generate token.', u'code': 400, u'details': [u'Invalid username or password.']}}
That same enterprise U/P allows me to log in to Portal for ArcGIS.
Got any hints on how I can use my enterprise login to generate a token?
TIA
Hi Dirk,
I received the same error when I enabled Portal to use enterprise logins. This may be a bug. I would recommend following up with Tech Support.
I to am trying to manage ArcGIS Server services via the REST API using python and also having this issue with a federated environment at version 10.6.1.
Do we know if someone has found a resolution to this or still being looked into?
I am having exactly this same issue with ArcGIS Server 10.4 federated with a Portal for ArcGIS and using its SAML enterprise login to authenticate users.
I can only generate tokens using the Primary Admin Account. Only this works. Any other user fails although those users can login fine directly to the Server or Portal and use their map services without problem.
Generate a token is the problem with any other user than the primary admin account via
https://[server FQDN]/arcgis/admin/generateToken
or
https://[portal FQDN]/arcgis/sharing/generateToken
Is this a bug? and what's the solution or workaround?
Help please. Thanks.
Has anyone been able to programatically generate tokens for SAML users? I am facing similar issues.
This is a problem for me as well.
1. Enterprise accounts (ADFS in this case) can't be used to generate a token
2. ArcGIS accounts can be used to generate token
Is there any way to generate a token using an Enterprise account?