403 Error page during OAuth2 authentication

EvgenyKyselgov · August 1, 2023, 7:54am

My app uses OAuth2 scheme to authorize and get tokens to communicate with Jira by REST API.
But from time to time Jira shows “403 The request could not be satisfied.” page instead of asking login credentials.

The recent time it’s too often. What could be the problem?

The GET request is:

https://auth.atlassian.com/authorize?audience=api.atlassian.com&client_id=[MY_CLIENT_ID]&scope=read%3Ame%20read%3Ajira-user%20read%3Ajira-work%20write%3Ajira-work%20manage%3Ajira-configuration%20offline_access&redirect_uri=http%3A%2F%2Flocalhost%2Foauth%2Fredirect&state=980273431&response_type=code&prompt=consent

And the response is:

HTTP/1.1 403 Forbidden
Server: CloudFront
Date: Tue, 01 Aug 2023 13:22:18 GMT
Content-Type: text/html
Content-Length: 919
Connection: keep-alive
X-Cache: Error from cloudfront
Via: 1.1 480d73d26133a5d3268f9cfc7c99d59c.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: YUL62-P1
X-Amz-Cf-Id: 7yo8DvkGCmUdQs2lP9LlG5Es-eLkGIjhSC3quNk3o8TQXvTzZAVmSQ==
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; preload
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Request blocked.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: 7yo8DvkGCmUdQs2lP9LlG5Es-eLkGIjhSC3quNk3o8TQXvTzZAVmSQ==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>

The Web control to show login page is WebView2 115.0.1901

EvgenyKyselgov · August 1, 2023, 2:23pm

Seems bug on Jira Cloud OAuth2 web page

ibuchanan · August 1, 2023, 2:37pm

@EvgenyKyselgov,

I can’t reproduce the 403 with my OAuth 2 client. And I can’t see anything obviously wrong. I think you’re saying that it only fails occasionally, so I think that’s a good proof that you’re using the endpoint correctly.

If it is a bug that we should research, it might be isolated to your client or your network. In which case, I would recommend reporting through developer support, so they can have a look into logs on the back-end. Hopefully their additional insights might identify the problem.

EvgenyKyselgov · August 1, 2023, 2:40pm

@ibuchanan
I just have cleared cache of my webview2 control and now i keep seeing this problem.
Can you please share the link for developer support page?

ibuchanan · August 1, 2023, 3:29pm

@EvgenyKyselgov,

Sorry, I forgot to link:

EvgenyKyselgov · August 1, 2023, 3:49pm

Thank you.

@ibuchanan
I traced WebView2 page navigation during OAuth2 request, and it’s interesting.
My app opens embedded WebView2 control and starts OAuth2 workflow, as it should according to the documentation, by navigating to a URL:

https://auth.atlassian.com/authorize?audience=api.atlassian.com&client_id=[MY_APP_CLIENT_ID]&scope=read%3Ame%20read%3Ajira-user%20read%3Ajira-work%20write%3Ajira-work%20manage%3Ajira-configuration%20offline_access&redirect_uri=http%3A%2F%2Flocalhost%2Foauth%2Fredirect&state=980273431&response_type=code&prompt=consent

This request redirects to

https://id.atlassian.com/login?continue=https%3A%2F%2Fauth.atlassian.com%2Fauthorize%3Faudience%3Dapi.atlassian.com%26client_id%3D[MY_APP_CLIENT_ID]%26scope%3Dread%253Ame%2520read%253Ajira-user%2520read%253Ajira-work%2520write%253Ajira-work%2520manage%253Ajira-configuration%2520offline_access%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%252Foauth%252Fredirect%26state%3D980273431%26response_type%3Dcode%26native%3Dtrue

and it always returns 403 error page.

Can you please check behavior of your app after cleaning web browser’s cache?

ibuchanan · August 1, 2023, 7:51pm

@EvgenyKyselgov,

Thanks for the additional context. Now we know more precisely where that 403 comes from. That said, the flow from auth.atlassian.com to id.atlassian.com is normal. That’s what should happen when the auth page cannot find a user cookie to know which user is logged in.

When I do the same for my OAuth client in a Chrome Incognito window, I get a very similar looking redirect:

https://id.atlassian.com/login?continue=https%3A%2F%2Fauth.atlassian.com%2Fauthorize%3Faudience%3Dapi.atlassian.com%26client_id%3D39R2RciZEHyGPi7Qxr5nvNeHrpriEG8X%26scope%3Dread%253Ame%2520offline_access%2520read%253Aconfluence-content.summary%2520write%253Aconfluence-content%2520read%253Aconfluence-space.summary%2520write%253Aconfluence-space%2520write%253Aconfluence-file%2520read%253Aconfluence-props%2520write%253Aconfluence-props%2520manage%253Aconfluence-configuration%2520read%253Aconfluence-content.all%2520search%253Aconfluence%2520read%253Aconfluence-content.permission%2520read%253Aconfluence-user%2520read%253Aconfluence-groups%2520write%253Aconfluence-groups%26redirect_uri%3Dhttp%253A%252F%252Fsquian.com%252F%26state%3D4a9f9c55-1da5-452a-81d9-32afe817d96f%26response_type%3Dcode%26native%3Dtrue

I’m trying to find a way to compare these. Because when I use your URL exactly as you’ve pasted it, yes, I see a 403. But as soon as I replace the [MY_APP_CLIENT_ID] with my own client id, it proceeds to the login page as expected.

I’m afraid I still can’t reproduce your issue.

EvgenyKyselgov · August 2, 2023, 9:10am

@ibuchanan
Thank you for your help. I created ticket on Jira Dev Support, as your suggested, and they found the problem and fixed the issue on Jira side. I don’t know details of this fix but now everything works fine.