We have an application running at a customer's site that accesses a privileged feature service on the customer's ArcGIS Enterprise portal. For other customers, and with our own local portal, this kind of access works fine. But for this particular customer, when we attempt to access their feature service, we receive error 498, "Invalid Token".
We generate a token by calling /portal/sharing/generateToken (not /portal/sharing/rest/generateToken).* In this particular flow (non-SSO), we are relaying the client's credentials,** and we're specifying a "client" parameter of "requestip". (In our tests against our own portal, "requestip" has surprisingly no effect on the validity of the token when used from any other IP, but I mention it specifically because we're worried about it here.) They successfully get a valid token from their portal.
When they use that token with their feature service at /server/rest/services/Hosted/<name>/FeatureServer, they get an "Invalid Token" error.
Can anyone suggest why? Could it be that we're using the deprecated endpoint (although either works locally)? Using client "requestip" (although it has no effect with our tests)? Federated/hosted server gotchas (maybe?) ?
We'd be grateful for advice.
*Apparently, the endpoint /portal/sharing/generateToken has been deprecated. We wonder about the risk of switching to include /rest/ with our customer base.
**Validated as having access to the service, and seemingly corroborated by the fact that we're getting "Invalid Token" and not a 403 "You do not have permissions."
