Portal rest login - invalid redirect_uri

Department_of_Communications__ · ‎10-12-2021

Hi ArcGIS Enterprise / Portal users can anybody direct me on this please .. I've tried * everything I can think of .. but I have obviously missed something !! If I try to connect to https://MYPORTAL.com/portal/sharing/rest/ and login I get redirected to and invalid redirect_uri (see it in the url below https://MYPORTAL.com,%20MYINTERNALOADBALANCERNAME.com)

https://MYPORTAL.com/portal/sharing/rest/oauth2/authorize?client_id=arcgisonline&display=default&res.../portal/sharing/rest/login?

The correct redirect_uri is for this example https://MYPORTAL.com/portal/sharing/rest/login? but somehow the loadbalamcer address is being added also. MY privatePortalURL and WebContxt are correct in Portal properties. My arcgisonline appid has all the correct addresses it needs, but obviously not the one that has the portal and the loadbalancer as the address as it has a , and space in it and this is not catered for , as well as it not being the correct address. So my question how can I control this redirect_uri - is there another config somewhere?? how is it produced? . I tried IIS URL rewrite but I couldn't rewrite it .... Any ideas please, this affects a Rasteranalytics operation on the portal as the oauth2 fails with invalid redirect_uri, amongst other things. Any help on this would be hugely helpful as I'm STUCK. MY Portal is fronted by a load balancer .. so I wonder if the loadbalalncer coudlbe causig this? Its a simpel apache loadbalancer spun up by our IT guys.

Any help, direction etc. hugely appreciated.....

Paulg

mdonnelly · ‎10-12-2021

Hello,

Is the WebContextUrl value set correctly?

You will need to set this if the url you are trying to access Portal on is different from the machine name, eg if there is a CNAME or alias.

https://enterprise.arcgis.com/en/portal/latest/administer/windows/using-a-reverse-proxy-server-with-...

Regards,
Mark

JonathanQuinn · ‎10-13-2021

If you check the network traffic, do you see a 302? If so, what does the Location header return? Sounds like your LB may be updating the Location header incorrectly.

Department_of_Communications__ · ‎10-15-2021

Thanks Jonathan for the reply, that is my suspicion also, we have an apache load balancer and reverse proxy - so almost 2 proxies so I rekon the headers are been joined somewhere enroute. I'm sitting down with our Apache guy today who setup the loadbalancer and the reversproxy to look at the redirects and the headers to take a look and see what we can do .

Spotted this on the Apache site @

https://httpd.apache.org/docs/2.4/mod/mod_proxy.html

under the section Reverse Proxy Request Headers

Be careful when using these headers on the origin server, since they will contain more than one (comma-separated) value if the original request already contained one of these headers. For example, you can use %{X-Forwarded-For}i in the log format string of the origin server to log the original clients IP address, but you may get more than one address if the request passes through several proxies.
See also the ProxyPreserveHost and ProxyVia directives, which control other request headers.
Note: If you need to specify custom request headers to be added to the forwarded request, use the RequestHeader directive.

Department_of_Communications__ · ‎10-19-2021

Hi Jonathan,

Still working on this issue and I'm at a dead end ... We resolved the issue (partially) above by doing urlrewrite to omit the <comma> <space> <loadbalncer url and now my sharing rest login works. However I feel that this has only resolved the login issue and the redirects using the headers are causing all raster analytics gp tasks to fail (sample error code at the end). I managed to change the redirect-uri by adding ProxyAddHeaders Off and RequestHeader unset X-Forwarded-Host, RequestHeader unset X-Forwarded-For, RequestHeader unset X-Forwarded-Server - to the loadbalancer config, this resulted in the redirect_uri changing to only he internal loadbalancer address - which is of no use. Was not able to make any difference by changing the public facing reverse proxy configs .. so we opted for the Rewrite. So now when I run a rasteranalytics task I get and error that indicates that the response json is incorrect or empty ? I'm assuming because its not getting a response possibly? ** the internal address of teh analytics server is being returned in the error .. Any ideas please . Is there a way to capture the traffic to diagnose this ? .. I had planned to add some python outpt messages in teh offending .py files listed below to see a bit more of whatt was beeing sent around... but was reluctant until I asked the question.

Job Status: esriJobFailed

Job Messages:
esriJobMessageTypeInformative: Submitted.
esriJobMessageTypeInformative: Executing...
esriJobMessageTypeInformative: Start Time: Tuesday, October 19, 2021 4:06:17 PM
esriJobMessageTypeInformative: Raster Analytics helper service: https://<MY RASTER ANALYTICS SERVER>:6443/arcgis
esriJobMessageTypeInformative: Failed script BuildOverview...
esriJobMessageTypeError: Traceback (most recent call last): File "E:\Program Files\ArcGIS\Server\framework\runtime\ArcGIS\Resources\ArcToolBox\Services\Scripts\BuildOverview.py", line 15, in <module> import rasterutils File "E:\Program Files\ArcGIS\Server\framework\runtime\ArcGIS\Resources\ArcToolBox\Services\Scripts\rasterutils.py", line 153, in <module> RUN_ON_AGOL = isAGOL() File "E:\Program Files\ArcGIS\Server\framework\runtime\ArcGIS\Resources\ArcToolBox\Services\Scripts\rasterutils.py", line 143, in isAGOL msgjson = r.json() File "E:\Program Files\ArcGIS\Server\framework\runtime\ArcGIS\bin\Python\envs\arcgispro-py3\Lib\site-packages\requests\models.py", line 898, in json return complexjson.loads(self.text, **kwargs) File "E:\Program Files\ArcGIS\Server\framework\runtime\ArcGIS\bin\Python\envs\arcgispro-py3\Lib\json\__init__.py", line 354, in loads return _default_decoder.decode(s) File "E:\Program Files\ArcGIS\Server\framework\runtime\ArcGIS\bin\Python\envs\arcgispro-py3\Lib\json\decoder.py", line 339, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "E:\Program Files\ArcGIS\Server\framework\runtime\ArcGIS\bin\Python\envs\arcgispro-py3\Lib\json\decoder.py", line 357, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
esriJobMessageTypeError: Failed to execute (BuildOverview).
esriJobMessageTypeInformative: Failed at Tuesday, October 19, 2021 4:06:18 PM (Elapsed Time: 1.19 seconds)
esriJobMessageTypeError: Failed.

MaxBöcke · ‎10-14-2021

Hi

There is the same issue on our system. Made an IT Support Issue. They suspect it's an entry (urlrewrite) in our proxy. But there is none in that case. We double checked it . Otherwise, rewrites would generally have to be made with the DNS alias (in relation to authorization forwarding)

I know we had the issue in 10.8 and found no solution.

Currently we are on ArcGIS Enterprise 10.9.

Here our developer output from the browser:

client_id: arcgisonline
display: default
response_type: code
expiration: 20160
locale: en-us
force_login: true
hideCancel: true
showSignupOption: false
redirect_uri: https://<DNS_ALIAS>, <DNSALIAS>/portal/sharing/rest/login?

It's a comment separated list which is passed (i sanitarised it). Comma and Space = ,%20

The first entry is with https added (looks like WebContext), the second without https.

Maybe an upgrade issue? We need also help here. Thanks

Best regards

Max

Department_of_Communications__ · ‎10-15-2021

Hi Max, we are working on this today so I'll update if we have any sucess

rshihab · ‎10-16-2021

hi

did you check the following https://localhost:7443/arcgis/portaladmin/security/oauth/getAppInfo

Ramla Shihab

Department_of_Communications__ · ‎10-18-2021

Hi thanks for replying .. yep I checked this and its all good, but thanks

MaxBöcke · ‎10-27-2021

Hi

we fixed this issue as follows:

<Location /portal>
 RequestHeader unset X-Forwarded-Host
 RequestHeader unset X-Forwarded-Server
</Location>

Background:

The first Proxy or LB is used to set the header and add one value. The second Proxy adds a second value:

Reverseproxy 1

↓ X-Forwarded-Host: hostname1

Reverseproxy 2

↓ X-Forwarded-Host: hostname1, hostname2

…

Reverseproxy N

↓ X-Forwarded-Host: hostname1, hostname2, …,hostnameN

Backend

Due to the Request Header "unset" directive the current value will be deleted thus only one value is received by the backend:

Reverseproxy 1

↓ X-Forwarded-Host: hostname1

Reverseproxy 2

↓ X-Forwarded-Host: hostname1, hostname2

…

Reverseproxy N (RequestHeader unset X-Forwarded-Host)

↓ X-Forwarded-Host: hostnameN

Backend

Same with X-Forwarded-Server Header.

Hope this helps.

Best regards

Max