how to generate correct token for a federated Enterprise service

Hi @ZachBray thanks for responding. This is really my first time working with Enterprise closely, and I myself don't personally have access to the system, so I'm just trying to understand how this is all supposed to work. I believe they've already configured authentication on the "registered" layer coming from this other server, but I am not very familiar with the mechanics. 

Should each server need its own token? Or even if it "shouldn't", might it in this type of case? _Is_ there a way through the REST API to call generateToken for a federated server?

Thanks, yeah, actually I tried OAuth initially. Pretty much exactly following the documentation found in https://developers.arcgis.com/esri-leaflet/authentication/oauth2/ That was able to successfully generate a token, but that token was not accepted by any of the map service layers, even the ones hosted on the same server that the users were logging into with the Portal. And the error was the same one I'm seeing now - an HTTP 401 Unauthorized, which is different from the usual "498 Invalid Token" error I've seen in other cases where I was not passing a correct token.

That was already surprising, which sent me down this path of trying to calling generateToken, which does seem to work for the internal layers. I now confirmed from my customer see that the layers that are failing now are actually NOT federated, I misunderstood this earlier.

So I guess my new question is: given a non-federated registered layer with an address like:

https://gisweb1.customerdomain.com/customerportal/sharing/servers/someserverid/rest/services/Layer_N...

What endpoint should I be calling to generate the token, given an existing token I already got from 

https://gisweb1.customerdomain.com/customerportal/sharing/rest/generateToken

Thanks for your help. Unforunately that doesn't seem to quite match what I'm seeing, which are layers with addresses that look like 

https://gisweb1.domain.com/portal/sharing/servers/someserverid/rest/services/Layer_Name/FeatureServe...

I'm not familiar with this "servers/<serverid>" thing and the only documentation I can find on it seems to be specific to the ArcGIS Server Administration API, which is not what I'm trying to use here.

I hope you can access the ArcGIS Developers site, here is a link to a different generateToken: https://developers.arcgis.com/rest/services-reference/enterprise/generate-token.htm

This gets the token from a ArcGIS Server vs a ArcGIS Portal.  The call looks like https://<host>:<port>/<site>/tokens/generateToken this is POST only.  Without knowing the setup of ArcGIS Servers and Portals it is hard to say exactly what your call would be.  the <host> would refer to the fully qualified domain name, machine name and domain name of the ArcGIS Server you want to connect to.  A default install of ArcGIS Server would use port 6443.  The default site is probably arcgis.  Putting it together something like https://server_machine_name.domain.com:6443/arcgis/tokens/generateToken .

The "portal" in your example URL does not really match up with this generateToken.  I would have expected to have a federated server with "portal" in the URL.  That is the only way I am aware of to publish services to a ArcGIS Portal.

You had mentioned that you had followed the OAuth example.  One thing that tripped me up was I used a response_type=code instead of response_type=token.  When I tried to pass back the "code" I received, I got the same HTTP 401 Unauthorized you mention.  If you followed everything exactly from the link you provided this should not be the problem.

Good luck

Thanks, that at least gives me a direction to look in. And I had not really considered the "response_type=code" idea either. That's pretty intriguing. I might give that another try as well.