Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compatilibity with Orchestrator on-prem v2023.10.6 #136

Closed
J0ska opened this issue Jan 9, 2025 · 8 comments
Closed

Compatilibity with Orchestrator on-prem v2023.10.6 #136

J0ska opened this issue Jan 9, 2025 · 8 comments

Comments

@J0ska
Copy link

J0ska commented Jan 9, 2025
edited by thschmitt
Loading

Hi,
I am trying to connect with this tool to Orchestrator on-prem v2023.10.6
I set-up everything accordingly to use "Client Credentials" authentication method.
I set-up the external application scope according notes in issue #86.
Still I can't connect.

Config file looks like follows:

profiles:
- name: default
  organization: default
  tenant: default
  uri: https://orchestrator.***.com
  auth:
    clientId: 3ef87e83-3a3e-436c-82ba-7246f7e2c1be
    clientSecret: <redacted>

First I am getting "UnsupportedApiVersion" error.

Z:\>uipath orchestrator users get
Error retrieving bearer token: Token service returned status code '405' and body '{"error":{"code":"UnsupportedApiVersion","message":"The HTTP resource that matches the request URI 'https://orchestrator.***.com/identity_/connect/token' does not support HTTP method 'POST'.","innerError":null}}'

After adding "--identity-uri" option I am getting just some garbage:

Z:\>uipath orchestrator users get --identity-uri https://orchestrator.***.com/identity

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <meta name="description" content="" />
    <meta name="author" content="" />
    <meta name="referrer" content="no-referrer" />

Is Orchestrator on-prem v2023.10.6 supported?
If yes, any idea what I am doing wrong?

Thx
Josef

P.S. I tested the same in Orchestrator cloud and it works indeed.

P.P.S. I tested the "uipath orchestrator users get" command wiht the "--debug" option and I can see that the URL of HTTP GET command is wrong (for my on-prem environment)
GET https://orchestrator.***.com/default/default/orchestrator_/odata/Users
as it contains organization and tenant and "orchestrator_"
Valid HTTP GET (for my on-prem environment) is without it
GET https://orchestrator.***.com/odata/Users
@thschmitt
Copy link
Collaborator

Yeah, 23.10 should work. Could you try out adding a / at the end of the Uri which should omit the org and tenant?

e.g.

profiles:
- name: default
  organization: default
  tenant: default
  uri: https://orchestrator.***.com/
  auth:
    clientId: 3ef87e83-3a3e-436c-82ba-7246f7e2c1be
    clientSecret: <redacted>
    uri: https://orchestrator.***.com/identity

@J0ska
Copy link
Author

J0ska commented Jan 13, 2025

Bingo! It works like a charm.
It might be worth adding this detail into readme.
Thx

@rorobig
Copy link

rorobig commented Feb 4, 2025
edited
Loading

I'm having the same issue, but in my case using the --debug option doesn't show me more output so I can further debug.
I also tried with the environment variable, but that doesn't work either.

We are running version 24.10.0

uipath orchestrator users get  --debug
Error retrieving bearer token: Token service returned status code '405' and body '{"error":{"code":"UnsupportedApiVersion","message":"The HTTP resource that matches the request URI 'https://uipath.com/identity_/connect/token' does not support HTTP method 'POST'.","innerError":null}}'

If i try the suggestion from @thschmitt , i get :

Error retrieving bearer token: Token service returned status code '400' and body '{"error":"invalid_scope"}'

@J0ska
Copy link
Author

J0ska commented Feb 5, 2025

We are running version 24.10.0

I tested with 24.10.* both on-prem and cloud. Both work okay. I propose to double check settings of Orchestrator and CLI client ("uipath config")

@thschmitt
Copy link
Collaborator

invalid_scope means that the scopes on your external application are misconfigured. Please check that the scopes on your application are correct:

  • If you are using non-confidential applications make sure you only assign user scopes. Non-confidential applications cannot access application scopes.
  • If this is a confidential application, you can switch to the Application Scope tab to grant application-level permissions for the selected resource

But most likely you ran into a limitation where the application has too many scopes assigned and the identity server rejects generating an auth token.

If you try to execute uipath orchestrator users get you only need the OR.Users.Read scope.

Could you try to create a new confidential application and only assign the OR.Users.Read scope from the Application scope(s) tab:

Image

Managing external OAuth applications

@rorobig
Copy link

rorobig commented Feb 6, 2025

Thank you, that was indeed the fix. We are planning to run much more with this cli tooling tho, is there anyway I can check which scopes are needed for my jobs to function seeing how adding all the scopes breaks the API?

@thschmitt
Copy link
Collaborator

The scopes are documented for most APIs. You can either look at the help output for the command:

uipath orchestrator users get --help

or you can also look at the online documentation:

https://uipath.github.io/uipathcli/#/orchestrator/users/get

Thank you for the feedback! We definitely need to improve the error messages and documentation for these permissions.

@rorobig
Copy link

rorobig commented Feb 6, 2025

Thanks! Those tips are useful :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rorobig @J0ska @thschmitt