API calls, OAuth, and Tenants OnPrem 21.04 Orchestrator

Has anyone actually got a definitive way of using different tenants via API OAuth OnPrem? I am On-Prem, version 21.04, and it just doesn’t seem to work.

I am using a Confidential/Application OData app model, but that shouldn’t matter. I can do everything else but Tenants (list users, start jobs, etc)

According to Swagger, the odata/Tenants call requires OR.Administration.Read access

image

My OAuth Settings have that.

image

image

And the result fails: Not Authorised.

{
“message”: “You are not authorized!”,
“errorCode”: 0,
“result”: null ,
“targetUrl”: null ,
“success”: false ,
“error”: {
“code”: 0,
“message”: “You are not authorized!”,
“details”: “You are not allowed to perform this operation.”,
“validationErrors”: null
},
“unAuthorizedRequest”: true ,
“__abp”: true
}

According to the forum post https://forum.uipath.com/t/api-call-to-specific-tenant-on-premise/241140/4 there is a lot of different opinions and ways of doing things, and a lot of people say that these ways don’t work.

  • Include ?tid=1 or ?tid=4 etc on the request {but you need to get the ID first}
  • Use X-UIPATH-TenantName
  • X-UIPATH-TenantName seems to be ignored by the API
  • According to the Swagger documentation there is no option to specify the tenant.
  • Put “tenancyName”: “whatever” in the body json

None of these actually do anything from what I can tell. I have tried them all.

image

image

I even tried https://uipath/[TenantName]/identity/connect/token. Also didn’t work. I know this is for cloud and I am OnPrem.

When I use Bearer Token authentication (/api/account/authenticate) I can put the Tenant name into the body and that works. I can specify the Tenant I am connecting to.

But when I use OAuth authentication (/identity/connect/token) I cannot get any tenant but the default. According to the documentation for OnPrem OAuth (Using OAuth for External Apps (uipath.com)) :

Client Credentials

For confidential applications to access application scope, the external application requests an access token by sending a POST request that includes the client_id and client_secret to the Identity Server token endpoint: https://{Orchestrator_URL}/identity/connect/token.
If you are using Postman or a similar tool, use the content type application/x-www-form-urlencoded.

Sample request body for a token request
{
grant_type: “client_credentials”
client_id: “{app_id}”
client_secret: “{app_secret}”
scope: “{scopes}”
}

Clearly there is no mention of which Tenant you are connecting to, and this is where I would expect it.

Please don’t link the basic web page I have already read that. Please don’t link swagger I have already read that. Please don’t link the postman web page I have already read that.

I have read the 21.4 OAuth for external Apps {Using OAuth for External Apps (uipath.com)}

I understand most of the API, I can list users, robots, folders, processes, and start jobs.

Has anyone actually gotten OAuth OnPrem to work with Tenants in API calls?
Can you actually let me know what does work?

Thanks for reading.

@davidtodd1972 thank you for sharing this feedback - I will circle back with the team regarding the “You are not authorized” error on the odata/tenants endpoint when utilizing the client credentials flow.

Regarding your question about the ability to select a tenant, for 21.4 on-prem you only can only register an external application that is associated with a single orchestrator tenant. As such you cannot access multiple tenants with a single application registration on-prem.

You may have noticed in the external application app registration flow there is a tenant picker control, and that will allow you to configure external applications for other tenants.

1 Like

Thank you for the reply Zawad.
You are correct and i do feel the fool.
Every OData connection is tied to a tenant.
Case closed

Since you are quite knowledgeable, do you know if start a job with specific user still works?

I send out

https://uipath/odata/Folders?$filter=FullyQualifiedName eq ‘DEV’ & $select=Id

I receive

@odata.count”: 1,
“Id”: 2

So clearly I have found 1 folder and its ID is 2.

I send out

https://uipath/odata/Releases?$filter=Name eq ‘DaveTest1’ & $select=Key

I receive

@odata.count”: 1,
“Key”: “XXX”

So clearly I have found 1 process and its Key is XXX.

I send out

https://uipath/odata/Users?$filter=UserName eq ‘YYY’ & $select=Id

I receive

@odata.count”: 1,
“Id”: 50

So clearly I have found 1 user and its ID is 50.

I send out

https://uipath/odata/Jobs/UiPath.Server.Configuration.OData.StartJobs

Header
{
“Authorization”: “Bearer ABC”,
“Content-Type”: “application/json”,
“X-UIPATH-OrganizationUnitId”: “2”
}

Body
{
“startInfo”: {
“ReleaseKey”: “XXX”,
“RobotIds”: [50],
“Strategy”: “Specific”
}
}

I receive

Status Code 409
{
“message”: “Couldn’t find the specified unattended user/robot in the current folder.\r\nclientRequestId: f0809de2-259c-427b-a413-3305b7c49618”,
“errorCode”: 1671,
“resourceIds”: null
}

I know that user 50 is added to folder 2, I have checked this many times, and this user does run the process when I do not specify user.

So,

  • Am I doing something glaringly wrong?
  • Is Specify User not working in 21.04 On Prem Orchestrator?

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.