search

Esri / arcgis-powershell-dsc

This repository contains scripts, code and samples for automating the install and configuration of ArcGIS (Enterprise and Desktop) using Microsoft Windows PowerShell DSC (Desired State Configuration).
Apache License 2.0
112 stars 61 forks source link

Signing into geoevent manager results in invalid redirect_uri due to portal's arcgisonline oauth app info not containing geoevent's web socket url #378

Open BrendanEsri opened 2 years ago

BrendanEsri commented 2 years ago

Community Note

Module Version

Affected Resource(s)

Configuration Files

# Copy-paste your DSC JSON configurations here - for large configs,
# please use a service like Dropbox and share a link to the ZIP file.
{
    "AllNodes": [{
        "NodeName": "dsc1081drx2.pstransportation.com",
        "Role": [
            "ServerWebAdaptor"
        ],
        "SslCertificates": {
            "Path": "C:\\Software\\wildcard_profservices_geocloud_com.pfx",
            "Password": "REDACTED",
            "CNameFQDN": "dsc1081drx2.pstransportation.com",
            "Target": [
                "WebAdaptor"
            ]
        }
    },
    {
    "NodeName": "gdscgeoeventdrx2.pstransportation.com",
        "Role": [
            "Server"
        ]
    }
    ],
    "ConfigData": {
        "Version": "10.8.1",
        "ServerContext": "geoevent",
        "ServerRole": "GeoEvent",
        "Credentials": {
            "ServiceAccount": {
                "UserName": "REDACTED\\REDACTED",
                "Password": "REDACTED",
                "IsDomainAccount": true
            }
        },
        "SslRootOrIntermediate": [
            {
                "Alias": "DigiCertRoot", 
                "Path": "C:\\Software\\DigiCertRoot.cer"
            },
            {
                "Alias": "DigiCertInt", 
                "Path": "C:\\Software\\DigiCertInt.cer"
            }
            ],
        "Server": {
            "ExternalLoadBalancer": "DRtesting1081.profservices.geocloud.com",
            "LicenseFilePath": "C:\\Software\\Server_Ent_Adv108.ecp",
            "Installer": {
                "Path": "C:\\Software\\ArcGIS_Server_Windows_1081_175203.exe",
                "InstallDirPython": "C:\\Python27",
                "InstallDir": "C:\\Program Files\\ArcGIS\\Server"
            },
            "ServerDirectoriesRootLocation": "C:\\arcgisserver\\directories",
            "ConfigStoreLocation": "C:\\arcgisserver\\config-store",
            "LocalRepositoryPath": "C:\\arcgisserver\\local",
            "ServerLogsLocation": "C:\\arcgisserver\\logs",
            "PrimarySiteAdmin": {
                "UserName": "siteadmin",
                "Password": "REDACTED"
            }
        },
        "GeoEventServer": {
            "LicenseFilePath": "C:\\Software\\Server_GeoEvent108.prvc",
            "Installer": {
                "Path": "C:\\Software\\ArcGIS_GeoEvent_Server_1081_175242.exe"
            }
        },
        "WebAdaptor": {
            "AdminAccessEnabled": true,
            "Installer": {
                "Path": "C:\\Software\\ArcGIS_Web_Adaptor_for_Microsoft_IIS_1081_175217.exe"
            }
        },
        "Federation": {
            "PortalHostName": "DRtesting1081.profservices.geocloud.com",
            "PortalPort": "443",
            "PortalContext": "portal",
            "PortalAdministrator": {
                "UserName": "siteadmin",
                "Password": "REDACTED"
            }
        }
    }
}

Expected Behavior

Should be able to login to the web socket url to manager https://gdscgeoeventdrx2.pstransportation.com:6143/geoevent/manager with proper redirect to portal to login and get a token

Actual Behavior

When accessing https://gdscgeoeventdrx2.pstransportation.com:6143/geoevent/manager it shows invalid redirect_uri.

Steps to Reproduce

With PowerShell DSC, spin ArcGIS Enterprise json then spin GeoEvent json. for some reason the arcgisonline app info doesnt include the web socket url of the federated geoevent server. once i update the arcgisonline app info with that url, it works:

Pre modification:
{"appId":"arcgisonline","redirectURIs":["*.profservices.geocloud.com","https://DRtesting1081.profservices.geocloud.com","*.arcgis.com","https://dsc1081drx2.pstransportation.com"]}

Post modification:
{"appId":"arcgisonline","redirectURIs":["*.profservices.geocloud.com","https://DRtesting1081.profservices.geocloud.com","*.arcgis.com","https://dsc1081drx2.pstransportation.com","https://gdscgeoeventdrx2.pstransportation.com"]}

Important Factoids

References

cameronkroeker commented 2 years ago

Hi @BrendanEsri,

The module will update the portal oauth arcgisonline app redirect uri list with the hostname of the federated ServerAdminURL. So in this case since server web adaptor admin access is enabled, and ExternalLoadBalancer is set, the federated ServerAdminURL is likely https://DRtesting1081.profservices.geocloud.com/geoevent, which means the module will add DRtesting1081.profservices.geocloud.com to the portal oauth arcgisonline redirect list. This allows access to ArcGIS Server Manager via https://DRtesting1081.profservices.geocloud.com/geoevent/manager.

However, since ArcGIS GeoEvent Manager is https://gdscgeoeventdrx2.pstransportation.com:6143/geovent/manager, it will throw an invalid uri redirect error (as you've pointed out). In order to have the module add gdscgeoeventdrx2.pstransportation.com to the portal oauth arcgisonline redirect list, the federated ServerAdminURL would need to be https://gdscgeoeventdrx2.pstransportation.com:6443/arcgis/admin which can be achieved by either setting the ConfigData.Server.InternalLoadBalancer attribute to gdscgeoeventdrx2.pstransportation.com, or disabling admin access on the web adaptor. But this then would result in an invalid redirect uri error when navigating to https://DRtesting1081.profservices.geocloud.com/geoevent/manager.

This is a limitation of the module due to the ArcGIS GeoEvent Server being a special case because it doesn't allow direct access to the manager page via the web adaptor (whereas other federated server roles do allow access via the web adaptor).

In order to support both scenarios the module would need to accept a user defined array of hostnames to add to the oauth redirect list. This is something we could potentially look into in future releases of the module. However, for now the workaround is to manually add the missing hostname(s) to the portal oauth arcgisonline app redirect uri list.

Thanks, Cameron K.