Issues authenticating REST API calls with JWT

[Adam Malcontenti-Wilson]

Hi all,

I've been attempting to use JWT for authentication of the JIRA REST API from a JIRA Addon and have been running into some problems getting authenticated. I'm running an instance of the atlassian plugin sdk locally, and trying to authenticate to this url: 

    http://atlassian.dev/jira/rest/api/2/project?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqaXJhOjBjYTI2YzYxLWQ3MjctNGQ0Mi05OWM4LTY1MTg3MTI2OTkzMCIsImlhdCI6MTM5ODIyNjMxNywiZXhwIjoxMzk4MjI2NDk3LCJxc2giOiIzNzZiODZiZTIyNmJlNmVkMjIxZjdhNWMxZmY5YmFmZGY0OTUwMzY3NzMyNjRlMjI4MjJkYmZmNjhlOGFlYWZhIiwic3ViIjoiYWRtaW4ifQ.GynWdD9-6x8MMr1H9tZT6hC6BKrjeRVN9Fl0TvnRg58

I've found these two tools which are handy for debugging the JWT token, one which allows you to edit the JSON of the JWT and sign it with a secret key at http://openidtest.uninett.no/jwt, and another which helps to validate the query string hash parameter is correct at http://jwt-decoder.herokuapp.com/jwt/decode. I've passed in the JWT token generated and both of these tools indicate that it is correct, however when I navigate to it I find I get a 401 unauthorised error, and there's nothing in the log file to indicate more information about the failure.

I'm running JIRA 6.2-OD-08-034 (6251) / Atlassian SDK 4.2.20 and starting the server with the following command: 

    atlas-run-standalone --http-port 2990 --server atlassian.dev --product jira  --version 6.2-OD-10-004-WN --bundled-plugins com.atlassian.plugins:atlassian-connect-plugin:1.0.0,com.atlassian.jwt:jwt-plugin:1.0.0,com.atlassian.bundles:json-schema-validator-atlassian-bundle:1.0-m0,com.atlassian.upm:atlassian-universal-plugin-manager-plugin:2.15 -Dallow.google.tracking=false --jvmargs -Datlassian.upm.on.demand=true

Cheers,
Adam

[Seb Ruiz]

Hi Adam,

The 401 unauthorized response is _not_ because your JWT token is incorrect. It is because your add-on does not have permission to access that particular REST API. Have you added the "READ" scope to your add-on descriptor?

Best,

Seb

--
You received this message because you are subscribed to the Google Groups "Atlassian Connect Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to atlassian-connec...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Seb Ruiz

Atlassian

[Adam Malcontenti-Wilson]

Hi Seb,

Thanks for your quick response!

I had assumed that it was the JWT token that was incorrect as I had tried a couple of endpoints without them working. We do however have the read scope defined in the addon descriptor JSON, (https://gist.github.com/adammw/bc1e26fc6648d737cf4d).

Thanks,
Adam

On Wednesday, April 23, 2014 5:12:16 PM UTC+10, Seb Ruiz wrote:

Hi Adam,

The 401 unauthorized response is _not_ because your JWT token is incorrect. It is because your add-on does not have permission to access that particular REST API. Have you added the "READ" scope to your add-on descriptor?

Best,

Seb

On Wed, Apr 23, 2014 at 4:53 PM, Adam Malcontenti-Wilson wrote:

Hi all,

I've been attempting to use JWT for authentication of the JIRA REST API from a JIRA Addon and have been running into some problems getting authenticated. I'm running an instance of the atlassian plugin sdk locally, and trying to authenticate to this url: 

    http://atlassian.dev/jira/rest/api/2/project?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqaXJhOjBjYTI2YzYxLWQ3MjctNGQ0Mi05OWM4LTY1MTg3MTI2OTkzMCIsImlhdCI6MTM5ODIyNjMxNywiZXhwIjoxMzk4MjI2NDk3LCJxc2giOiIzNzZiODZiZTIyNmJlNmVkMjIxZjdhNWMxZmY5YmFmZGY0OTUwMzY3NzMyNjRlMjI4MjJkYmZmNjhlOGFlYWZhIiwic3ViIjoiYWRtaW4ifQ.GynWdD9-6x8MMr1H9tZT6hC6BKrjeRVN9Fl0TvnRg58

I've found these two tools which are handy for debugging the JWT token, one which allows you to edit the JSON of the JWT and sign it with a secret key at http://openidtest.uninett.no/jwt, and another which helps to validate the query string hash parameter is correct at http://jwt-decoder.herokuapp.com/jwt/decode. I've passed in the JWT token generated and both of these tools indicate that it is correct, however when I navigate to it I find I get a 401 unauthorised error, and there's nothing in the log file to indicate more information about the failure.

I'm running JIRA 6.2-OD-08-034 (6251) / Atlassian SDK 4.2.20 and starting the server with the following command: 

    atlas-run-standalone --http-port 2990 --server atlassian.dev --product jira  --version 6.2-OD-10-004-WN --bundled-plugins com.atlassian.plugins:atlassian-connect-plugin:1.0.0,com.atlassian.jwt:jwt-plugin:1.0.0,com.atlassian.bundles:json-schema-validator-atlassian-bundle:1.0-m0,com.atlassian.upm:atlassian-universal-plugin-manager-plugin:2.15 -Dallow.google.tracking=false --jvmargs -Datlassian.upm.on.demand=true

Cheers,
Adam

-- 

Seb Ruiz

Atlassian

[Tim Pettersen]

Hi Adam,

Apologies for the confusion, your descriptor does appear correct and you are requesting the correct scopes (assuming you are performing read and write operations). Seb was mistaken, a 401 can indicate an issue with JWT authentication, and this may be what is occurring in your case. 

Fortunately, JWT does provide decent logging for authentication issues - you just have to switch it on. Here's how to do it if you started JIRA using the command you posted earlier:

1. Log into JIRA as a system administrator.
2. Go to the Logging & Profiling page in the System administration section, and click Configure logging level for another package.

3. Enter com.atlassian.jwt for the package, set the logging level to DEBUG and press Add.

4. Tail the log at /amps-standalone/target/jira-LATEST.log (relative to the directory you ran the atlas-run-standalone command from) and reproduce the issue. You should see some logging describing why the request was rejected.

If you're having further trouble determining the issue from the logs, please share them here and we'll help you out!

cheers,

Tim

--

You received this message because you are subscribed to the Google Groups "Atlassian Connect Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to atlassian-connec...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Tim Pettersen
C: 415 503 8377

$10 Starter licenses... w00t! | http://www.atlassian.com

[Adam Malcontenti-Wilson]

Hi Tim,

I've enabled the logging and I was able to discover that I was sending the incorrect issuer ID in my JWT and using the clientKey rather than my app's identifier. I can now get to the REST endpoints successfully after using the correct issuer name. 

One of the problems I was trying to solve with JWT was accessing the project avatars, however I get a 403 error when trying to do so, the logs mention:

[plugin.module.permission.ApiScopingFilter] Request not in an authorized API scope from app 'zendesk_jira' as user 'addon_zendesk_jira' on URL '/jira/secure/projectavatar'
Is there a separate scope I can add to the app to allow be to access the project avatars?

Thanks,

Adam

[Tim Pettersen]

Hi Adam,

Great to hear you got past the JWT issue! Unfortunately the /jira/secure/projectavatar resource isn't bound to a Connect scope at the moment, so you can not access it. I've raised an issue (https://ecosystem.atlassian.net/browse/AC-1074) to expose it. In the meantime you have two options to workaround this:

1. If you know that the context user has permission to access the project, you can simply render the URL as the src attribute of an <img> tag, and let the browser retrieve it for you. 

2. Retrieve the project avatar via the JIRA SOAP service (which is bound to the Connect READ scope): https://developer.atlassian.com/static/connect/docs/scopes/jira-soap-scopes.html#getprojectavatar

cheers,

Tim

--

You received this message because you are subscribed to the Google Groups "Atlassian Connect Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to atlassian-connec...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.