Select to view content in your preferred language

Setting bearer token for server in front of ArcGis Portal to download a map

1039
4
Jump to solution
12-13-2023 07:03 AM
padmalcom
Frequent Contributor

Hi, we have a keycloak sitting in front of our ArcGis Portal Server that requires a bearer token for authentication. I found out that I can add a header using ArcGISEnvironment.arcGISHttpClient.addAdditionalRequestHeader()

Adding this token to the HttpClient, allows us to succesfully pass the keycloak, but when the download starts using OfflineMapJob.start() the downloads fails with the following error:

Failure(com.arcgismaps.exceptions.ArcGISAuthenticationException$InvalidTokenException: message=Invalid token., additionalMessage=Failed to load offline map task.
An invalid token was used to access https://myserver/arcgisserver/rest/services/Hosted/myBasemap/VectorTileServer., errorCode=18006)

We tested the code without keycloak and without the additional authentication header and the download worked well before. Hope you can give us a hint on how to set a bearer token successfully.

Edit: We added some logs. It seems that from the definition of the OfflineMapTask, the proxy server is no longer present in any url that accesses the portal or the arcgis server rest inferface (/rest/...). Thus, our app tries to bypass the proxy and directly access the resources on the rest interface and fails for two reasons:

  • The URL cannot be reached, since the proxy is no longer addressed but the hostname behind the proxy.
  • The request contains the bearer token which is assumably interpreted by the rest interface as an arcgis authentication token.

Here is our log where "myproxyserver" is the hostname of our proxy and "myarcgisserver" is the host behind the proxy that we can not reach from our mobile device. The error occurs when the OfflineMapTasks loads.

Portal item url https://myproxyserver/arcgisportal/sharing/rest/content/items/a40be1d3648b4631832e709951111111
2023-12-14 11:48:37.435 8522-8554 DefaultArc...pper$login de.myapp.test D ServerTrust authentication challenge identified...
2023-12-14 11:48:37.530 8522-8593 ArcGIS Maps SDK de.myapp.test I An ArcGIS authentication error occurred when accessing https://myarcgisserver/arcgisserver. An API key or credential may be required. For more information see https://developers.arcgis.com/kotlin/security-and-authentication/.
2023-12-14 11:48:37.574 8522-8556 ArcGIS Maps SDK de.myapp.test I An ArcGIS authentication error occurred when accessing https://myarcgisserver/arcgisserver. An API key or credential may be required. For more information see https://developers.arcgis.com/kotlin/security-and-authentication/.
2023-12-14 11:48:37.629 8522-8555 ArcGIS Maps SDK de.myapp.test I An ArcGIS authentication error occurred when accessing https://myarcgisserver/arcgisserver. An API key or credential may be required. For more information see https://developers.arcgis.com/kotlin/security-and-authentication/.
2023-12-14 11:48:37.650 8522-8593 ArcGIS Maps SDK de.myapp.test I An ArcGIS authentication error occurred when accessing https://myarcgisserver/arcgisserver. An API key or credential may be required. For more information see https://developers.arcgis.com/kotlin/security-and-authentication/.
2023-12-14 11:48:39.917 8522-8593 DownloadMapWorker de.myapp.test D Offline map task failed message=Invalid token., additionalMessage=An invalid token was used to access https://myarcgisserver/arcgisserver/rest/services/Hosted/mybasemap/VectorTileServer., errorCode=18006
2023-12-14 11:48:39.961 8522-8593 DownloadMapWorker de.myapp.test D Offline map job url: https://myproxyserver/arcgisportal/sharing/rest/content/items/a40be1d3648b4631832e709951111111
2023-12-14 11:48:39.963 8522-8556 DownloadMa...onHandling de.myapp.test D download progress is at 0%
2023-12-14 11:48:39.967 8522-8556 DownloadMapWorker de.myapp.test E Map download failed with message message=Invalid token., additionalMessage=Failed to load offline map task.
An invalid token was used to access https://myarcgisserver/arcgisserver/rest/services/Hosted/mybasemap/VectorTileServer., errorCode=18006.

0 Kudos
1 Solution

Accepted Solutions
padmalcom
Frequent Contributor

Hi, thanks for your support. We found out that there is no way on the Kotlin SDK side to solve this issue. We now follow an approach to reconfigure ArcGIS portal and server. We see this issue as solved.

View solution in original post

4 Replies
GuntherHeppner
Esri Contributor

Hi @padmalcom ,

Could you share the key/name of the header you are adding with ArcGISEnvironment.arcGISHttpClient.addAdditionalRequestHeader()

0 Kudos
padmalcom
Frequent Contributor

Hi @GuntherHeppner,  sure we are setting:

ArcGISEnvironment.arcGISHttpClient.addAdditionalRequestHeader(
"Authorization", "Bearer ${authProvider.token}"
)

Edit: To give you a bit more information: Our proxy server removes the bearer token after we have been authenticated against Keycloak. We are pretty sure that the main problem is, that the vector tile server URLs returned by the portal try to bypass our proxy.

0 Kudos
NimeshJarecha
Esri Regular Contributor

Hi @padmalcom ,

I would like to know more about the configuration to narrow down the issue.

1. Apart from proxy in front of ArcGIS server, are there any security setup on ArcGIS Portal and Server? Does it require any additional authentication?

2. Based on log and information provided above seems that ArcGIS server is getting some token, trying to authenticate and fails with invalid token error. Is it possible for you to provide the request parameters and headers used by the request which fails with invalid token error?

3. Is it possible to configure proxy to use some other name of the authorization header? The `Authorization` is a standard header and may conflict with the web adaptor if configured on top of Portal and Server. We use `X-Esri-Authorization` header for our bearer token authentication. So if you can try some other custom name to try to narrow down the issue. 

Regards,

Nimesh

0 Kudos
padmalcom
Frequent Contributor

Hi, thanks for your support. We found out that there is no way on the Kotlin SDK side to solve this issue. We now follow an approach to reconfigure ArcGIS portal and server. We see this issue as solved.