Symptoms
After upgrading from vRA 8.1 or earlier to vRA 8.2 or later, direct login to the orchestrator UI is impossible. That is the login to https://vra-host/orchestration-ui.When a login is attempted on that URL, after entering the username and password, the user is redirected to a black page containing the following error message:
{ "error": "invalid_request", "error_description": "Must provide a matching redirect uri." }
Note: This issue is NOT observed on fresh vRA deployment after 8.2. Only environments upgraded from 8.1 or earlier suffer from it.
Cause
This is a known issue in vRA due to which the redirect URI of the vRO client is not properly updated in the k8s configmap cache during an upgrade. The redirect URI of vRO was changed in vRA 8.2.
Resolution
IMPORTANT: Make sure that you take snapshots before attempting these steps.1. Run this to verify that the config map contains the wrong redirectUri for vRO:kubectl get vaconfigs.prelude.vmware.com prelude-vaconfig -o json | jq -r .spec.clientsecrets | base64 -d | grep vro-config | cut -d "," -f 2 | base64 -dYou should see a line similar to:redirectUri: /vco-controlcenter/authn/callback2. Edit the config map so that the correct redirectUri is set for the vro-configkubectl patch configmaps -n prelude vro-config --type json -p '[{"op": "add", "path": "/data/redirectUri", "value": "/vco/authn/callback"}]'3. Save the change to the config map's cache. This requires running the following two commands:source /opt/scripts/persistence_utils.sh;client_secrets_save;You should see several warning followed by this line:vaconfig.prelude.vmware.com/prelude-vaconfig patchedNote: if you see below message, this means that you haven't changed the config map's cache.vaconfig.prelude.vmware.com/prelude-vaconfig patched (no change)4. Run this command to verify that the new redirectUri is now set (using the command from step 1):redirectUri: /vco/authn/callback5. Run /opt/scripts/deploy.sh
