Question about token

365
5
09-22-2019 10:58 PM
ManviLather
New Contributor II

Hi, 

I am working in federated environment. I created token from portal end: 'https://portal.domain.com/portal/sharing/rest/generateToken/'. Then clubbed the token with secured service's rest end using ?token=. 

It came up something like this : 

https://gis.com/server/rest/services/Testing/FeatureServer ?token=aaaaaaaaaaaaaaaaaaaaavvvvvvvvvvvvvv.

Now when I try to open the link it ask me user name and password.

When I follow  the same steps on non-federated environment. everything works fine. 

I am not sure why I am encountering this issue in federated env. 

Any suggestion would be appreciated. 

0 Kudos
5 Replies
JonathanQuinn
Esri Frequent Contributor

How are you generating the token? Using a referer, requestIP, etc? If you're using a referer, you need to send the request with the referer as a header, which is not easily done simply in a browser without an add-in to modify/build the request.

0 Kudos
ManviLather
New Contributor II

1. How are you generating the token?Using a referer, requestIP, etc? 

--I am encountering this issue with all the three client option: http referer, IP , Request IP in federated env.

 When I am use the option "http referer", I provide the link of a monitoring app. Something like this : https://app.test.com 

2. If you're using a referer, you need to send the request with the referer as a header, which is not easily done simply in a browser without an add-in to modify/build the request ---- Could you please provide me some document on it .. 

Basically, I want to test secured services with token in a monitoring tool (Uptrends) to check if they are responding properly and then auto generate the task of token creation for the services in such a way that token gets automatically updated in the tool. I am still researching on the task. 

 

0 Kudos
JonathanQuinn
Esri Frequent Contributor

When you generate the token using https://app.test.com, do you send a request to the federated Server with the Referer header set to https://app.test.com?

0 Kudos
ManviLather
New Contributor II

I am passing the parameters in Portal's generate window. 

Result: 

To summarize, 

1. if I append token with service URL using ?token, browser asks me user name and password 

2. if I append token with service URL &token, following error comes up

{"error":{"code":499,"message":"Token Required","details":[]}}

===========================================================

 During my research, I found the following script on geonet for using the referer option  : 

I understand that by typing the request parameter in the URL, we use the HTTP GET method to obtain the token, however, ArcGIS REST API states that only HTTP POST method is allowed. So the server replies with an error. So for this case we have to use python or HTML etc. But what about the other two options

import urllib, urllib2, json, ssl
username = "xyz"
password = "xyz"

tokenURL = 'https:testing/portal/sharing/rest/generateToken/'
params = {'f': 'pjson', 'username': username, 'password': password, 'referer': 'arcgis.com'}
req = urllib2.Request(tokenURL, urllib.urlencode(params))
try:
response = urllib2.urlopen(req)
except:
gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
response = urllib2.urlopen(req, context=gcontext)
data = json.load(response)
token = data['token']
print(token)

The token generated workes fine when I append the token using &token=.

Now, I need some clarification with IP and IP request option. What exactly I am missing? Why token created with these two options does not work in a federated environment?

Any suggestion would be appreciated. 

0 Kudos
JonathanQuinn
Esri Frequent Contributor

They don't work because Server needs to validate the token via Portal. So:

Your client machine:

  IP address 10.0.0.1

The Server machine:

  IP address 10.0.0.3

The Portal machine:

  IP address 10.0.0.3

If you generate a token using your IP, Server will take that token and ask Portal to validate it, since Portal is controlling the security. The request that Portal receives is not from your machine, but from the Server machine, which has a different IP than your machine. Referrers are the recommended approach in a federated environment.

0 Kudos