401 Authorization Error for Requests Made with JWT Authentication

Confluence Development Confluence Cloud
#1

Hello. I’m attempting to build a Confluence Cloud connect application which accesses some resources related to the instance of confluence it’s installed on. This application is being built with Django if that’s of any consequence. To make create the Authorization header, I’m making use of a library named atlassian-jwt.

I try to get groups - /wiki/rest/api/group

To generate the token I’m passing in (GET, https://my-domain.atlassian.net/wiki/rest/api/group, my-connect-app-key, shared-secret) into the encode_token function from the library above.

Whenever I make the request with the header Authorization: JWT <generated_token>, I get a 401 error. This error occurs for any resource I try to retrieve, not just groups. I’m now wondering if I have missed anything. This issue I’m having seems to be particular to Confluence as I have done the same for Jira and it works seamlessly.

Would be glad to receive any help I can get. Thanks in advance!

#2

The most common reason for this is that you’re not generating the correct Query String Hash: https://developer.atlassian.com/cloud/bitbucket/query-string-hash/

3 Likes
#3

Why are you making the request with the header Authorization: JWT <generated_token> and not just appending it as part of the query in the GET request?

#4

Does it make a difference?

#5

I assume not, but he said:

This issue I’m having seems to be particular to Confluence as I have done the same for Jira and it works seamlessly.

A minimal GET request like /rest/api/user?jwt=whateverthetokenis should be easy to test.

#6

You were right! The library I was using to generate the token did not account for Confluence. It included /wiki in the canonical URI. What I did was to pass in https://my-domain.atlassian.net/rest/some/path instead of https://my-domain.atlassian.net/wiki/rest/some/path and that solved my issue.

1 Like
#7

I finally got the reason.
For me the problem is the clientKey. I thought it is the clientKey of Atlassian tenant. But actually, it is the key defined in your descriptor. It is add-on’s key, which is defined by developer himself (probably you), like: ‘key’: f’com.yourcompany.jira.dev’.

token = atlassian_jwt.encode_token(
            'GET',
            relative_url,
            clientKey='It_Is_Not_A_Value_Different_For_Each_Tenant_It_IS_A_Fixed_Value',
            sharedSecret=self.shared_secret,
        )