ArcGIS Server 'Invalid Token' from application, using REST API

1546
8
05-13-2020 05:54 PM
JackSilburn
New Contributor III

Hello.

I am struggling with an issue relating to ArcGIS Server REST API. I believe we are running v 10.6.

My process is:

  1. Create an 'application' in the ArcGIS Server content.

  1. Copy the 'client_id' and 'client_secret' values from this application.
  2. Call the ArcGIS REST API oauth2/token endpoint
  3. Copy the 'access_token' into the ArcGIS REST API /query endpoint
  4. I am receiving a 'invalid token' error code 498.

I have completed this exact process in my organisation's ArcGIS Online platform, with no issues. So I am very perplexed and frustrated that this isn't working .

My token request:

POST /arcgis/sharing/rest/oauth2/token?client_id=XXX&client_secret=XXX&grant_type=client_credentials HTTP/1.1
Host: <domain>:<port>

My query request:

GET /arcgis/rest/services/Hosted/<feature layer name>/FeatureServer/0/query?where=1=1&token=XXX&f=json&outFields=name,device_type

HTTP/1.1
Host:<domain>:<port>

If I copy a token from my Chrome browser (f12 debug mode/network tab) I am able to make both requests successfully!!

I am 'admin' on our server and I own both the application and the feature layer.

Any help is appreciated.

Cheers

**update I tried running the /registerApp endpoint (using a browser Token)

I get the following:

"error": {
"code": 500,
"message": "Unable to register app.",
"details": [
"'redirect_uris' invalid"

I don't know what the purpose of the redirect_uris attribute is; I have tried <domain>:<port> and urn:ietf:wg:oauth:2.0:oob to no effect.

Reply
0 Kudos
8 Replies
VictorTey
Esri Contributor

Hi Jack Silburn‌, Can you provide more information on what you are trying to do after you have receive the token? Are you trying to create a web application and provide some sort of authentication mechanism? Have you consider using the ArcGIS JS IdentityManager?

The redirect_uri is a list of valid URI that is allowed for redirecting when user have successfully login

For example if you look at

Access ArcGIS Online items using OAuthentication | ArcGIS API for JavaScript 4.15 

and their live example

Access ArcGIS Online items using OAuthentication - 4.15 

when you click on sign in, you will see it redirect the user to the login page for AGOL. IN the request you will see the redirect_uri telling AGOL once the user have successfully signed in, redirect the user back to the redirect_uri link.

This link HAS TO BE valid and added in your app registration

Reply
0 Kudos
JackSilburn
New Contributor III

Hi Victor

I am trying to enable my program to automatically update a feature layer (hosted on ArcGIS Server).

From my understanding, and past implementation with ArcGIS Online, I should simply need to:

  1. Create an 'app'
  2. Copy its client ID and secret
  3. Use these to receive an 'access token'
  4. Use the 'access token' in all future actions - i.e. update, delete, query etc.

This appears to be the same issue experienced by these users:

The approach to authenticating REST API requests in AGOL vs ArcGIS Server seems to be different - despite referencing the same documentation. At least in my opinion.

I didn't have to bother with 'redirect URIs' at all with my AGOL implementation.

BenCserepes
New Contributor II

Jack, 

Did you ever find a solution to this I have a python script that mines my REST endpoint that has been completely stopped because of this error. Any ideas on how to solve this? 

-Ben

JackSilburn
New Contributor III

Hi Ben

From memory, I made the Feature Service 'visible to everyone' and edit permission enabled. This removed the requirement to authenticate requests to the server.

I justified this approach because:

  1. This was a prototype/proof of concept for a web app
  2. The service is only shared within my Org

In the future I would definitely need Auth.

Did you have any luck yourself?

Regards

J

Reply
0 Kudos
BushtelAdmin
New Contributor III

G'day Jack

Seems to be a popular question on the form, and not a single answer.

Did you find an answer or does the issue go away with later versions of Enterprise?

We have the issue with 10.6.1

Thanks

Reply
0 Kudos
BushtelAdmin
New Contributor III

G'day All

And the answer, from our local support, to our specific use case:

After reviewing your case and undertaking some research, unfortunately it appears that this functionality is not available using App Login to access Feature Services via ArcGIS Enterprise. In the documentation you have listed below please see the last sub heading 'Available content and services' which lists what you can access using App Login.

Another related bit of documentation is 'Limitations of App Login' found here - https://developers.arcgis.com/documentation/core-concepts/security-and-authentication/limitations-of...

Your use case has been submitted by other Esri customers as an enhancement to be made to the ArcGIS Enterprise product:

ENH-000117119 - 'Provide an ability to use the token generated using client id and client secret of a web application to access a feature service in ArcGIS Enterprise.'

Mind you, we did set the service to public as a test and it still failed. Keeping the service as public was not an option anyways.

Regards

JackSilburn
New Contributor III

Hello

I guess that settles it then - I wonder when/if the enhancement will be pushed through...

As I mentioned to another user above, I ended up making the service public, with edit permissions enabled. It's peculiar that it did not work for you still.

I would either need to figure out another method of authenticating, or move my app to my Org's ArcGIS Online platform, where the auth issue is not present.

P.S. It's a small world - I reckon we live in the same state!

Reply
0 Kudos
BushtelAdmin
New Contributor III

G'day Jack

Have a look at:

Working with different authentication schemes | ArcGIS for Developers 

Specifically Non-Interactive Login Experience.

This was changed with the last release of arcpy

Previously was suggested to add username and password to the Interactive example.

PS or Territory

We are thinking of (re)starting a 'usergroup' and if interested drop us an email.

Regards