oAuth wildcard match on proxy serverUrl

4819
10
12-04-2015 07:17 AM
PamRichmond
New Contributor III

I am using the .NET proxy for app login on a web application. The proxy.config works if I specify individual URLs. For example:

<serverUrl url="https://myserver/arcgis/rest/services/myname/MapServer"

  clientId="aaa"

  clientSecret="bbb"

  oauth2Endpoint="https://myserver/portal/sharing/rest/oauth2"

  matchAll="true"/>

I would like to use the proxy for multiple services on our server, but using something like this results in invalid tokens being generated:

<serverUrl url="https://myserver/arcgis/rest/services/"

  clientId="aaa"

  clientSecret="bbb"

  oauth2Endpoint="https://myserver/portal/sharing/rest/oauth2"

  matchAll="true"/>

Is it possible to specify this type of "partial" match on the URL using the proxy?

From the documentation:

Add a new <serverUrl> entry for each service that will use the proxy. The proxy.config allows you to use the serverUrl tag to specify one or more ArcGIS Server services that the proxy will forward requests to. The serverUrl tag has the following attributes:

  • url: Location of the ArcGIS Server service (or other URL) to proxy. Specify either the specific URL or the root (in which case you should set matchAll="false").
0 Kudos
10 Replies
RobertScheitlin__GISP
MVP Emeritus

Pam,

    FYI:

IMPORTANT – as of today, 5/21/215, the release version of the proxy.ashx file for .NET and the most recent version of ArcServer do not play well together when token authentication is required. This is because 10.3 requires that token requests are done with a POST. the version above will attempt a GET resulting in a difficult to debug error. 

The issue can be found here: https://github.com/Esri/resource-proxy/issues/177

A fix can be found here:  https://github.com/esoekianto/resource-proxy-1/blob/45d9a49b58e3405c08a4f9e7157c491067b66760/DotNet/...

- See more at: http://blogs.esri.com/esri/supportcenter/2015/04/07/setting-up-a-proxy/

Not sure if the above applies to you but using the latest proxy may help.

Also I use a username and password with tokenServiceUri in your secured serviceUrls:

  • username: Username to use when requesting a token - if needed for ArcGIS Server token based authentication.
  • password: Password to use when requesting a token - if needed for ArcGIS Server token based authentication.
  • tokenServiceUri: If username and password are specified, the proxy will use the supplied token service uri to
0 Kudos
PamRichmond
New Contributor III

Robert, thank you for the response. I am using the latest proxy. The original post was a red herring. I don't think it's the way the serverUrl is specified as much as it is that the clientId and clientSecret don't work. Using the username and password works. Problem is, we generally avoid storing clear text login information in source code, even if the client can't see it. The clientId and clientSecret are more limited in access than a regular account. It seems my issue is related to using an application.

0 Kudos
RobertScheitlin__GISP
MVP Emeritus

Pam,

   Are you registering your production website application url to get your client Id and secret?

0 Kudos
PamRichmond
New Contributor III

Yes, but since it's not working, I'm wondering if it's misconfigured. I'm using Portal for ArcGIS Server 10.3, so I login to Portal > Add Item > An Application > Web Mapping with URL to the root of my site, Ready to Use, JavaScript API. I then view the item details in Portal and register it. I've tried a number of Redirect URI's thinking that might be the problem. I've tried the proxy, the page that calls the map, the home page. I've tried sharing with Everyone to eliminate that as an issue. The result is always an invalid token.

0 Kudos
RobertScheitlin__GISP
MVP Emeritus

Pam,

   Have you looked at your web browsers web console to see what url it is using to request the token?

0 Kudos
PamRichmond
New Contributor III

Robert, it's requesting something like:

https://<mywebserver>/<mysitefolder>/proxy/proxy.ashx?https://<myportalserver>/arcgis/rest/services/...

It does generate a token, but the token is invalid, and I am prompted to login. The account used to create the app is the same account that created the service, so ownership shouldn't be an issue.

0 Kudos
RobertScheitlin__GISP
MVP Emeritus

Pam,

   What I am wondering is if the url that the proxy is using for the actual token request is right. Do you see the actual token request?

0 Kudos
PamRichmond
New Contributor III

Robert, here are the detailed logs:

2015-12-07 08:53:14 https://<myportalserver>/arcgis/rest/services/<myservice>/MapServer?f=json&dpi=96&transparent=true&format=png24&callback=dojo.io.script.jsonp_dojoIoScript1._jsonpCallback

2015-12-07 08:53:15 Matching credentials found in configuration file. OAuth 2.0 mode: True

2015-12-07 08:53:15 Service is secured by https://<myportalserver>/portal/sharing/rest/oauth2/: getting new token...

2015-12-07 08:53:15 Sending request!

2015-12-07 08:53:16  Token obtained: <mytoken1>

2015-12-07 08:53:16  Exchanging Portal token for Server-specific token for https://<myportalserver>/arcgis/rest/services/<myservice>/MapServer...

2015-12-07 08:53:16 Sending request!

2015-12-07 08:53:16  Token obtained: <mytoken2>

2015-12-07 08:53:16 Sending request!

2015-12-07 08:53:16 Renewing token and trying again.

2015-12-07 08:53:16 Matching credentials found in configuration file. OAuth 2.0 mode: True

2015-12-07 08:53:16 Service is secured by https://<myportalserver>/portal/sharing/rest/oauth2/: getting new token...

2015-12-07 08:53:16 Sending request!

2015-12-07 08:53:17  Token obtained: <mytoken3>

2015-12-07 08:53:17  Exchanging Portal token for Server-specific token for https://<myportalserver>/arcgis/rest/services/<myservice>/MapServer...

2015-12-07 08:53:17 Sending request!

2015-12-07 08:53:17  Token obtained: <mytoken4>

2015-12-07 08:53:17 Sending request!

0 Kudos
RobertScheitlin__GISP
MVP Emeritus

Pam,

   Well the token url looks correct. I don't have much to suggest then. My last suggestion is to try username and password just for testing to see if you can get them to work and then call tech support.

0 Kudos