Hi @pocalipse, have you received any updates from ESRI with regard to the support ticket you have opened?
This issue is driving me crazy, I have been testing on another environment, and it worked! details as follows.
The other environment is testing one (2 HA portals, but there are no federated servers), I have used the exact same Keycloak configuration for both environments. However, in my production environment, which I have sent about it before (2 HA portals + 2 Federated servers, one hosted server & the other is notebook server) it does not work!
I have been trying to test and eliminate some doubts related to keycloak, trying to understand from where exactly the error stem from.
Keycloak side:
I have tried to connect to Keycloak APIs directly without any intervention from the portal, the results was good and eliminated the possibility of having issues related to request/response of keycloak (production).
I have tried to generate a token as follows:
curl -L -X POST 'https://<KEYCLOAK_SERVER>/realms/.../protocol/openid-connect/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<CLIENT_ID>' \
--data-urlencode 'client_secret=<CLIENT_SECRET>' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=<USERNAME>' \
--data-urlencode 'password=<MY_PASSWORD>' \
--data-urlencode 'scope=openid address web-origins roles email phone profile microprofile-jwt offline_access' \
--data-urlencode 'totp=<OTP_FROM_ANY_MOBILE_AUTHENTICATOR>'
It responded correctly with an access_token
then I used that access_token to call /userinfo API as follows:
curl -L -X GET 'https://<KEYCLOAK_SERVER>/realms/.../protocol/openid-connect/userinfo' \
-H 'Authorization: Bearer <GENERATED_TOKEN>'
It responded correctly with my user profile
Portal side:
I have traced the OpenID connect traffic there are 3 main requests as following:
First: Portal requests: oidc authorize >> set redirect url to keycloak to request the code
originator: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/.../authorize",
redirectURL: {
baseURL: "https://<KEYCLOAK_SERVER>/realms/.../protocol/openid-connect/auth?redire...",
redirect_uri: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/.../signin",
client_id: "<CLIENT_ID>",
scope: "openid address web-origins roles email phone profile microprofile-jwt offline_access",
response_type: "code",
state: "xxxxxxxxxxxxx"
Second: Keycloak requests: authenticate with user password or OTP >> set redirect url to portal with code, state & session_state
originator: "https://<KEYCLOAK_SERVER>/realms/.../login-actions/authenticate?session_code=xxxxxxxxxxxxxxxxxxxxxx&execution=xxxxxxxxxxxxxxxx&client_id=<CLIENT_ID>&tab_id=xxxxxx",
redirectURL: {
baseURL: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/...",
state: "xxxxxxxxxxxxxxxx",
session_state: "xxxxxxxxxxxxxxxx",
code: "xxxxxxxxxxxxxxxxxxxxxxx"
},
Third: Portal requests: oidc signin with code, state & session_state >> set redirect url to portal account switcher with access_token
originator: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/.../signin?state=xxxxxxxxxxxxxxx&session_state=xxxxxxxxxxxxxxx",
redirectURL: {
baseURL: "https://<PORTAL>/arcgis/home/accountswitcher-callback.html#access_token=XXXXXXXX"
This ☝ is the successful flow captured from the testing environment (2 HA portals). I have traced the production requests as well, and everything is being sent correctly redirect_uri, client_id, code, state, session_state, but Unfortunately the Third request does not return an access_token instead it returns the user profile error Did not receive 'user profile' parameter from the provider error
I don't know what's wrong with the production environment, is it because of the fact of having federated servers!
I believe I will open a support ticket as well!
--
Thanks,
Essam
