• Replies 6 replies
  • Subscribers 45 subscribers
  • Views 7191 views
  • Users 0 members are here
Options
Related

Authority Mismatch on Settings vs. signin state after upgrading from R21 to R27

Etienne du Toit
Offline

My R21 environment (dev) had no issues prior to applying the R27 patch. Can't get his resolved.  Hopefully somebody else in thee community have had this and resolved this issue. 

From oidc-clinet-ts.min.js:   this._settings.authority !== t.authority && r.throw(new Error("authority mismatch on settings vs. signin state"))

  • Hi Etienne,

    that more a question for Aras support. Many users in this forum still use previous releases. Wink

    The error message indicates a authentication problem. Which type do you use? OAuth, OIDC, SAML? Some require custom Aras DLLs.

    Some general tips: Check your redirect URLs in one of the oauth server configs and your URL you use to access Innovator.

  • Offline in reply to AngelaIp

    Hi Angela, 

    Thank for taking the time to respond.  I am reaching out to the ARAS community to see if anyone else have resolved this error. 

    I have an SI open, but we can't it resolved.  Some background: Aras Support used a copy of our code tree and applied the patch successfully in their environment.  We then stepped though applying the R27 patch in our environment, (to a working R21 environment),  and it fails with this error.   

    Prior to the upgrade users could sign in with both OpenID and OAuth.  No issues.

    We have reviewed the Redirect URLs in the OAuth Server configs, but again, the Redirects worked prior to applying R27 patch.            

  • Offline in reply to Etienne du Toit

    Hello Etienne,

    I just had the same issue with a brand new R27 behind a reverse proxy. The front-end URL is using our *aras.com DNS with a trusted certificate whereas on our ARAS Server, we resolve everything as "localhost". 

    What sorted out our problem as to make sure that the proxy is actually binding on https and not allowing everything without specific rule. Specifying the https binding allowed OpenID (OIDC library) to get the mandatory information to trust the remote certificate. 

    Few points for you maybe to check:

    • Make sure you enable https binding (the certificate you use doesn't matter, it can be different from the one used on the reverse proxy)
    • into: OAuthserver/Oauth.config, make sure you add in <allowedCorsOrigins> your Domain URL <origin value="">https://youDomainDNS" />
    • into: OAuthserver/Oauth.config, make sure you add on <redirectUris> and <postLogoutRedirectUris> duplicated lines for localhost with https, so you should have 2 sets of URL for localhost, http (default) and an extra set with localhost/.../.......
    • into: OAuthserver/Oauth.config, make sure you have your <redirectUris> and <postLogoutRedirectUris> pointing to your Domain/DNS 
    • Into InnovatorServerConfig.xml, make sure  that <OAuthServerDiscovery><Urls><Url value="https://$[HTTP_HOST_SERVER]$[HTTP_PORT_SERVER]$[HTTP_PATH_SERVER]/OAuthServer/"/> starts by an HTTPS like in the example above.

    In our case, the issue wasn't coming from ARAS Configuration but from our Proxy configuration.

    What helped us to figure out the reason was the "Console" issue raised:  

    Error: authority mismatch on settings vs. signin state

    Hope it helps you.

  • Offline in reply to Damien Destrez

    Thank You!!    The URLs in the OAUth.config was already setup like you described, but what made the chage was changing the OAuthDiscovery to URL.  Fix:  In InnovatorServerConfig.xml change the URL in the <OauthServerDiscovery> tag from  value="https://<domain.com>/InnovatorServer14/OAuthServer"/  to  value="https://$[HTTP_HOST_SERVER]$[HTTP_PORT_SERVER]$[HTTP_PATH_SERVER]/OAuthServer/"/>   Note: After this was working I also tested <Url value="$[HTTP_PREFIX_SERVER]$[HTTP_HOST_SERVER]$[HTTP_PORT_SERVER]$[HTTP_PATH_SERVER]/OAuthServer/"/> and that works as well. 

  • Offline in reply to [email protected]

    But wait there is more....   From Aras Support:  Add a '/' to the end of the <OauthServerDiscovery> URL ...value="https://<domain.com>/InnovatorServer14/OAuthServer/"/>   I did and that solved issue as well.   Our R27 URL required the trailing '/' and the R21 environment does not.  We had same issue with upgrade to R26, but that never was resolved and was abandoned after for R27.  

  • Offline

    Thank You!!    The URLs in the OAUth.config was already setup like you described, but what made the chage was changing the OAuthDiscovery to URL.  Fix:  In InnovatorServerConfig.xml change the URL in the <OauthServerDiscovery> tag from  value="https://<domain.com>/InnovatorServer14/OAuthServer"/  to  value="https://$[HTTP_HOST_SERVER]$[HTTP_PORT_SERVER]$[HTTP_PATH_SERVER]/OAuthServer/"/>   Note: After this was working I also tested <Url value="$[HTTP_PREFIX_SERVER]$[HTTP_HOST_SERVER]$[HTTP_PORT_SERVER]$[HTTP_PATH_SERVER]/OAuthServer/"/> and that works as well.