Solved

ArcGIS Online OAUTH Authorize Issue on FME Server 2017


Badge

Previously we had no issue publishing to FME Server (2016 and earlier) with connections set to access web services on our ArcGIS Online for Organizations account. Now we can't seem to get our "one" ArcGIS Online job to work on FME Server 2017. When it asks us to authorize the connection after upload (Which works just fine on Desktop we simply get an error telling us "Invalid client_id Error:400"

Has anyone else encountered this issue yet? Do you know what the solution to it is?

I'm attaching a copy of the error message and what bothers us is it shows the generic https://www.arcgis.com URL and not our organizational account.

icon

Best answer by rylanatsafe 12 May 2017, 22:31

View original

24 replies

Badge +1

For me it is not possible to replicate your issue, but what I do see in your screendump is a reference to ArcGIS Portal. Are you sure that you are login into ArcGIS Online and not to ArcGIS Portal?

Userlevel 4
Badge +25

Is it a private FME Server - ie not with a DNS entry for the "internet"? I've had this problem before too. OAuth doesn't seem to like it when you are trying to validate connections from a web page that's not a public server. Why you can do the same in an application (like Desktop) or on a public web page, but not a private page, is beyond me.

Anyway, @aaronkoning wrote an article about how to set it up to allow this scenario. You can find it here:

https://knowledge.safe.com/articles/40215/configuring-fme-server-to-use-oauth-based-web-conn.html

Hope it is what you need to get your workspace working again.

Mark

Badge +8

I don't know if it's the same issue that we're having, but I submitted a ticket for it on Friday. In our case we were having an issue with arcgis online role security. Certain permissions allowed us to read/write to AGOL, while others did not. Have you tried it with your own personal account? This is very similar to an issue they fixed in 2016.1 (16673).

Badge +11

@longhornfan - I'm sorry for the inconvenience experienced here..! FME Server 2017 now uses OAuth authentication for AGOL whereas FME Server 2016 used Token. As well, when publishing from FME Desktop to FME Server, we require the user to register the Web Service with their own Application created in the Web Service. (We wouldn't want your workflow to break if we changed e.g. the Secret Password/Key for our App!)

On the developer site for ArcGIS Online, make sure that the Redirect URI specified there matches that when you are adding the Web Service to FME Server 2017. Please see the two screenshots for the locations of where I am entering the URI. Please also note that this is a private FME Server that is not accessible publicly, nor has a public DNS entry (and not a Web Server installed on a public facing machine).

Let us know if this works for you, or if you still encounter the same "Error 400".

@longhornfan - I'm sorry for the inconvenience experienced here..! FME Server 2017 now uses OAuth authentication for AGOL whereas FME Server 2016 used Token. As well, when publishing from FME Desktop to FME Server, we require the user to register the Web Service with their own Application created in the Web Service. (We wouldn't want your workflow to break if we changed e.g. the Secret Password/Key for our App!)

On the developer site for ArcGIS Online, make sure that the Redirect URI specified there matches that when you are adding the Web Service to FME Server 2017. Please see the two screenshots for the locations of where I am entering the URI. Please also note that this is a private FME Server that is not accessible publicly, nor has a public DNS entry (and not a Web Server installed on a public facing machine).

Let us know if this works for you, or if you still encounter the same "Error 400".

@RylanAtSafe where is the 'Redirect URI's' config? I cant seem to find it on arcgis.com for our org.
Badge +11
@RylanAtSafe where is the 'Redirect URI's' config? I cant seem to find it on arcgis.com for our org.

@wesscoggin - Please view this short video

 

ArcGIS.com > Apps > ArcGIS for Developers > Select Application > Authentication (Tab)

 

 

Badge +8

@wesscoggin - Please view this short video

 

ArcGIS.com > Apps > ArcGIS for Developers > Select Application > Authentication (Tab)

 

 

@RylanAtSafe If we are using multiple AGOL accounts, do we need to set up OAuth keys for each account we're writing to, or just set one up for an admin account? Likewise, do we need to setup separate OAuth keys for each FME job we have writing to AGOL, or can we just have 1 for each account?

 

Badge +11
@RylanAtSafe If we are using multiple AGOL accounts, do we need to set up OAuth keys for each account we're writing to, or just set one up for an admin account? Likewise, do we need to setup separate OAuth keys for each FME job we have writing to AGOL, or can we just have 1 for each account?

 

Hi @runneals, that is a great question! I only have access to one AGOL account here at Safe – so I am unable to properly test this..

 

With OAuth Web Services that ship with FME Desktop – including AGOL – Safe Software's 'Client Id' and 'Client Secret' are supplied with FME Desktop. As you may have observed, it doesn't matter what account you connect to.

 

I would assume this same behaviour would apply to FME Server. If you have the opportunity to test, please let us know! :)

 

Badge +8

@wesscoggin - Please view this short video

 

ArcGIS.com > Apps > ArcGIS for Developers > Select Application > Authentication (Tab)

 

 

@RylanAtSafe I was deep diving into the config files on Desktop, and noticed you guys have your own keys for the connection, but say they aren't for production. How do we go about deploying our own keys? Do we need to hard code it in the XML config file, or is there a better place to put it? Short term, it would be nice to have it as a published parameter that can easily be configured. Long term, it would be ideal if customers could configure it during the install process or have a keys tab in the FME options that could easily be configured.
Badge +11
@RylanAtSafe I was deep diving into the config files on Desktop, and noticed you guys have your own keys for the connection, but say they aren't for production. How do we go about deploying our own keys? Do we need to hard code it in the XML config file, or is there a better place to put it? Short term, it would be nice to have it as a published parameter that can easily be configured. Long term, it would be ideal if customers could configure it during the install process or have a keys tab in the FME options that could easily be configured.
@runneals - These Web Connections can be created for your own apps by navigating to FME Options > Web Connections > Manage Services and then selecting to "Create From" (see image).

 

I would leave the XML alone and just use the FME Workbench. You do have some good ideas in your posting that, I think, would find a great home on our Ideas page!

 

 

https://www.screencast.com/t/cszSL3BvODZ

 

 

 

 @longhornfan - I'm sorry for the inconvenience experienced here..! FME Server 2017 now uses OAuth authentication for AGOL whereas FME Server 2016 used Token. As well, when publishing from FME Desktop to FME Server, we require the user to register the Web Service with their own Application created in the Web Service. (We wouldn't want your workflow to break if we changed e.g. the Secret Password/Key for our App!)

On the developer site for ArcGIS Online, make sure that the Redirect URI specified there matches that when you are adding the Web Service to FME Server 2017. Please see the two screenshots for the locations of where I am entering the URI. Please also note that this is a private FME Server that is not accessible publicly, nor has a public DNS entry (and not a Web Server installed on a public facing machine).

Let us know if this works for you, or if you still encounter the same "Error 400".

0684Q00000ArLCFQA3.png

0684Q00000ArLL8QAN.png

Why does the original error message say "Invalid client_id" instead of "Invalid redirect_uri" ? I'm running into the same problem and noticed the URL is passing  

 

client_id=%3Cclient%20id%3E
Shouldn't the client_id be more specific? I noticed that by editing the URL directly I was able to get my OAUTH credentials.
Badge +11
Why does the original error message say "Invalid client_id" instead of "Invalid redirect_uri" ? I'm running into the same problem and noticed the URL is passing  

 

client_id=%3Cclient%20id%3E
Shouldn't the client_id be more specific? I noticed that by editing the URL directly I was able to get my OAUTH credentials.
@justinmatis - That's a good question! I checked with FME Server 2017.1.2 Build 17722 and I received the invalid redirect_uri error for an invalid (non-existing) Redirect URI and invalid client_id for an invalid Client ID, as expected.

 

Now this wouldn't be related to FME Server version as this page is generated by AGOL... and I'll note that I don't see any confirmation from @longhornfan regarding the resolution of this error applicable to the original posting.

 

If you are experiencing a separate issue, please create a new Q&A; Thread or use our Report a Problem form.

For me it is not possible to replicate your issue, but what I do see in your screendump is a reference to ArcGIS Portal. Are you sure that you are login into ArcGIS Online and not to ArcGIS Portal?

I have the identical issue. Error 400, trying to authorise AGOL on FME Server 2017

 

The login always trying to connect to ArcGIS portal

 

Is it a private FME Server - ie not with a DNS entry for the "internet"? I've had this problem before too. OAuth doesn't seem to like it when you are trying to validate connections from a web page that's not a public server. Why you can do the same in an application (like Desktop) or on a public web page, but not a private page, is beyond me.

Anyway, @aaronkoning wrote an article about how to set it up to allow this scenario. You can find it here:

https://knowledge.safe.com/articles/40215/configuring-fme-server-to-use-oauth-based-web-conn.html

Hope it is what you need to get your workspace working again.

Mark

in my opinion server and desktop should work the same, why does one use token and the oauth.

 

 

The above workaround is far too complex, and it should be easier

 

@justinmatis - That's a good question! I checked with FME Server 2017.1.2 Build 17722 and I received the invalid redirect_uri error for an invalid (non-existing) Redirect URI and invalid client_id for an invalid Client ID, as expected.

 

Now this wouldn't be related to FME Server version as this page is generated by AGOL... and I'll note that I don't see any confirmation from @longhornfan regarding the resolution of this error applicable to the original posting.

 

If you are experiencing a separate issue, please create a new Q&A; Thread or use our Report a Problem form.
Now it's working. I never configured the "Manage Web Services" page on the server. The thing that threw me was the difficulty in locating the dialog box in your answer.

 

 

Badge +11
I have the identical issue. Error 400, trying to authorise AGOL on FME Server 2017

 

The login always trying to connect to ArcGIS portal

 

I am not sure why the error pages identify ArcGIS Portal. I'll see if I can find out any information regarding this, and share it here!

 

I can confirm that when I get the Error 400 for invalid client_id or redirect_uri, the ArcGIS Portal text is displayed – and when each error is corrected, respectively, there is no indication of ArcGIS Portal anywhere (and the authorization of the web connection is successful).

 

 

Badge +11
in my opinion server and desktop should work the same, why does one use token and the oauth.

 

 

The above workaround is far too complex, and it should be easier

 

I'm sorry for any confusion regarding Token and OAuth 2.0 based authentication methods. FME Desktop and Server 2016 (and older) use Token, and FME Desktop and Server 2017 (and newer) use OAuth 2.0 for ArcGIS Online.

 

 

Your feedback is also greatly appreciated. It's very helpful for our development team to know where all the pain points and inconveniences with the product lies. I'll make sure to pass this along – and I also think it would be great to create a new idea on our Ideas Exchange that highlights the need for improvement on Web Connection Authorization in FME Server. Creating an idea will allow the FME Community to focus comments and feedback in one location that is more easily trackable by our Product Managers.

 

 

Badge +11
I am not sure why the error pages identify ArcGIS Portal. I'll see if I can find out any information regarding this, and share it here!

 

I can confirm that when I get the Error 400 for invalid client_id or redirect_uri, the ArcGIS Portal text is displayed – and when each error is corrected, respectively, there is no indication of ArcGIS Portal anywhere (and the authorization of the web connection is successful).

 

 

@rudy_v - While I was unable to find a concrete answer, I did find the following note from Esri in the article Understand the relationship between Portal for ArcGIS and an ArcGIS Online subscription.

 

 

"They provide similar functionality [...] and the same API for developers." 
I interpret this to mean that both ArcGIS Online and ArcGIS Portal will have the same error codes and error pages that are used as a prompt for any developer accessing their REST API. If you continue to experience issues configuring FME Server with the ArcGIS Online Web Connection, please contact Safe Support.

@RylanAtSafe - worked for me

register an application at our organisation, receive a client-id and secret key, added the re-direct

working like dream

NOTE: For us we also had to add ArcGIS to the proxy / firewall rules - otherwise it goes nowhere

 

 

For me it is not possible to replicate your issue, but what I do see in your screendump is a reference to ArcGIS Portal. Are you sure that you are login into ArcGIS Online and not to ArcGIS Portal?

I had the error - and we are running FME Server in Private with no Portal. the error relates to arcgis rest-api

 

I solved my problem, by following @RylanAtSafe answer

 

register an app at arcgis developers

 

receive an client-id, secret key and added the re-direct url

@RylanAtSafe - worked for me

register an application at our organisation, receive a client-id and secret key, added the re-direct

working like dream

NOTE: For us we also had to add ArcGIS to the proxy / firewall rules - otherwise it goes nowhere

 

 

@RylanAtSafe i got to work in our test environment, but in production it failed

 

i think proxy issue, desktop work on the server to the same AGOL service

 

 

 

@Mark2AtSafe and @RylanAtSafe

Finally i got the autorize to work for ArcgIS online on FME Server 2017.

Unfortunately FME Server authorise does not go to the proxy server and goes directly to the firewall, where it is completely blocked

We solved this by temporary open internet on the Server, authorize and then close internet again

After authorize, AGOL scripts on server works perfectly

Badge +11

@Mark2AtSafe and @RylanAtSafe

Finally i got the autorize to work for ArcgIS online on FME Server 2017.

Unfortunately FME Server authorise does not go to the proxy server and goes directly to the firewall, where it is completely blocked

We solved this by temporary open internet on the Server, authorize and then close internet again

After authorize, AGOL scripts on server works perfectly

Thank you very much for this followup, @rudy_v – I've flagged your comment here as I think it could be very helpful for other users who encounter this issue.

 

I have Solve this issue and its work with me to know how to fix it , use the below video

https://drive.google.com/file/d/1PpdXgfZxNB5aC3450yd5VYNJ2RjKXFTJ/view?usp=sharing

 

Reply