Forum Discussion

Etienne_du_Toit's avatar
Etienne_du_Toit
Ideator I
3 years ago

Authority Mismatch on Settings vs. signin state after upgrading from R21 to R27

My R21 environment (dev) had no issues prior to applying the R27 patch. Can't get his resolved.  Hopefully somebody else in thee community have had this and resolved this issue.  From oidc-clinet-t...
Bugs
OAuth
Release 27
Etienne_du_Toit's avatar
Etienne_du_Toit
Ideator I
3 years ago

Hi Angela, 

Thank for taking the time to respond.  I am reaching out to the ARAS community to see if anyone else have resolved this error. 

I have an SI open, but we can't it resolved.  Some background: Aras Support used a copy of our code tree and applied the patch successfully in their environment.  We then stepped though applying the R27 patch in our environment, (to a working R21 environment),  and it fails with this error.   

Prior to the upgrade users could sign in with both OpenID and OAuth.  No issues.

We have reviewed the Redirect URLs in the OAuth Server configs, but again, the Redirects worked prior to applying R27 patch.            

Damien_Destrez1's avatar
Damien_Destrez1
Ideator I
3 years ago

Hello Etienne,

I just had the same issue with a brand new R27 behind a reverse proxy. The front-end URL is using our *aras.com DNS with a trusted certificate whereas on our ARAS Server, we resolve everything as "localhost". 

What sorted out our problem as to make sure that the proxy is actually binding on https and not allowing everything without specific rule. Specifying the https binding allowed OpenID (OIDC library) to get the mandatory information to trust the remote certificate. 

Few points for you maybe to check:

  • Make sure you enable https binding (the certificate you use doesn't matter, it can be different from the one used on the reverse proxy)
  • into: OAuthserver/Oauth.config, make sure you add in <allowedCorsOrigins> your Domain URL <origin value="">https://youDomainDNS" />
  • into: OAuthserver/Oauth.config, make sure you add on <redirectUris> and <postLogoutRedirectUris> duplicated lines for localhost with https, so you should have 2 sets of URL for localhost, http (default) and an extra set with localhost/.../.......
  • into: OAuthserver/Oauth.config, make sure you have your <redirectUris> and <postLogoutRedirectUris> pointing to your Domain/DNS 
  • Into InnovatorServerConfig.xml, make sure  that <OAuthServerDiscovery><Urls><Url value="https://$[HTTP_HOST_SERVER]$[HTTP_PORT_SERVER]$[HTTP_PATH_SERVER]/OAuthServer/"/> starts by an HTTPS like in the example above.

In our case, the issue wasn't coming from ARAS Configuration but from our Proxy configuration.

What helped us to figure out the reason was the "Console" issue raised:  

Error: authority mismatch on settings vs. signin state

Hope it helps you.

  • edutoit_greatdane_com's avatar
    edutoit_greatdane_com
    Ideator I
    2 years ago

    Thank You!!    The URLs in the OAUth.config was already setup like you described, but what made the chage was changing the OAuthDiscovery to URL.  Fix:  In InnovatorServerConfig.xml change the URL in the <OauthServerDiscovery> tag from  value="https://<domain.com>/InnovatorServer14/OAuthServer"/  to  value="https://$[HTTP_HOST_SERVER]$[HTTP_PORT_SERVER]$[HTTP_PATH_SERVER]/OAuthServer/"/>   Note: After this was working I also tested <Url value="$[HTTP_PREFIX_SERVER]$[HTTP_HOST_SERVER]$[HTTP_PORT_SERVER]$[HTTP_PATH_SERVER]/OAuthServer/"/> and that works as well. 

    • Etienne_du_Toit's avatar
      Etienne_du_Toit
      Ideator I
      2 years ago

      But wait there is more....   From Aras Support:  Add a '/' to the end of the <OauthServerDiscovery> URL ...value="https://<domain.com>/InnovatorServer14/OAuthServer/"/>   I did and that solved issue as well.   Our R27 URL required the trailing '/' and the R21 environment does not.  We had same issue with upgrade to R26, but that never was resolved and was abandoned after for R27.