How to have multiple Orchestrator URL?


We just migrated to 20.10.5 LTS and we found that compared to 19.10 version, it’s not possible to use all the URL we have defined on our certificate.
If we try to login with a second url we get : 2021-02-03 09:32:51.4486 IdentityServer4.Validation.AuthorizeRequestValidator Invalid redirect_uri:


2021-02-03 09:32:51.4486 IdentityServer4.Events.DefaultEventService {“ClientId”:“f22afbb0-a6fb-477d-b1ba-019391dba27d”, “ClientName”:“Orchestrator.OpenId”, “Endpoint”:“Authorize”, “Scopes”:“”, “Error”:“unauthorized_client”, “ErrorDescription”:“Invalid redirect_uri”, “Category”:“Token”, “Name”:“Token Issued Failure”, “EventType”:“Failure”, “Id”:2001, “ActivityId”:“8000088d-0000-a000-b63f-84710c7967bb”, “TimeStamp”:“2021-02-03T08:32:51Z”, “ProcessId”:7692, “LocalIpAddress”:“”, “RemoteIpAddress”:“”}

It seems to be Identity server that manage this, is there a way to add authorized url to the identity server?

Thank you,

Hello @mittol_ldc!

It seems that you have trouble getting an answer to your question in the first 24 hours.
Let us give you a few hints and helpful links.

First, make sure you browsed through our Forum FAQ Beginner’s Guide. It will teach you what should be included in your topic.

You can check out some of our resources directly, see below:

  1. Always search first. It is the best way to quickly find your answer. Check out the image icon for that.
    Clicking the options button will let you set more specific topic search filters, i.e. only the ones with a solution.

  2. Topic that contains most common solutions with example project files can be found here.

  3. Read our official documentation where you can find a lot of information and instructions about each of our products:

  4. Watch the videos on our official YouTube channel for more visual tutorials.

  5. Meet us and our users on our Community Slack and ask your question there.

Hopefully this will let you easily find the solution/information you need. Once you have it, we would be happy if you could share your findings here and mark it as a solution. This will help other users find it in the future.

Thank you for helping us build our UiPath Community!

Cheers from your friendly

I noticed this issue as well when we introduced multiple nodes and attempted to access Orchestrator via the LB URL and Node specific FQDN.

The symptom was Load-balanced URL and the Primary Node would successfully redirect to the Identity Service using the Load-balanced URL and after authenticating it would redirect back to the original requested address. However, any other URL would fail when it redirected to the Identity Service and throw an Error.

Web UI: An unknown error has occurred. (#200)
and in Event Viewer Logs

details: {
	"Error": "unauthorized_client",
	"ErrorDescription": "Invalid redirect_uri",
	"RequestId": "*************",
	"ClientId": "******************"
	"ClientId": "************",
	"ClientName": "Orchestrator.OpenId",
	"Endpoint": "Authorize",
	"Scopes": "",
	"Error": "unauthorized_client",
	"ErrorDescription": "Invalid redirect_uri",
	"Category": "Token",
	"Name": "Token Issued Failure",
	"EventType": "Failure",
	"Id": 2001,
	"ActivityId": "***************",
	"TimeStamp": "2022-08-10T15:00:43Z",
	"ProcessId": 7572,
	"LocalIpAddress": "x.x.x.x:443",
	"RemoteIpAddress": "x.x.x.x"
	"ClientId": "******",
	"ClientName": "Orchestrator.OpenId",
	"AllowedRedirectUris": ["http:\/\/fqdn1\/signinsystemopenidconnect", "http:\/\/localhost\/signinsystemopenidconnect", "https:\/\/localhost\/signinsystemopenidconnect", "http:\/\/hostname1\/signinsystemopenidconnect", "https:\/\/hostname1\/signinsystemopenidconnect", "https:\/\/fqdn1\/signinsystemopenidconnect", "https:\/\/lburl1\/signinsystemopenidconnect"],
	"SubjectId": "anonymous",
	"RequestedScopes": "",
	"Raw": {
		"client_id": "******",
		"redirect_uri": "https:\/\/fqdn2\/signinsystemopenidconnect",
		"response_type": "code id_token",
		"scope": "openid profile email",
		"response_mode": "form_post",
		"nonce": "......",
		"state": "......",
		"x-client-SKU": "ID_NETSTANDARD2_0",
		"x-client-ver": ""

The solution is to update the identity.ClientRedirectUris table in the Database
You can create 4 new records per unique FQDN/Hostname (2 for SSL/HTTPS, 2 for non-HTTPS) with an association to the correct ClientId which can be found in the identity.Clients table

Id	RedirectUri	ClientId
1	http://node1.domain/signinsystemopenidconnect	1
2	http://localhost/signinsystemopenidconnect	1
3	https://localhost/signinsystemopenidconnect	1
4	http://node1/signinsystemopenidconnect	1
5	https://node1/signinsystemopenidconnect	1
6	https://node1.domain/signinsystemopenidconnect	1
7	com.uipath.robot.oidc://oauthredirect	4
8	https://lbfqdn/signinsystemopenidconnect	1
9	com.uipath.robot.oidc://oauthredirect?client_triggered_redirect=true	4
10	https://robot-code-auth/	4
11	6
12	6
13	6
14	http://node2.domain/signinsystemopenidconnect	1
15	http://node2/signinsystemopenidconnect	1
16	https://node2/signinsystemopenidconnect	1
17	https://node2.domain/signinsystemopenidconnect	1

No restart or recycle of IIS Resources is required

After updating the Client Redirect URIs the treatment would be when accessing the secondary node URL, redirected to the primary/LB URL for Identity Service, once authenticated browser will be redirected to the originally requested URL.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.