Bearer token gets expired when trying to use atlassianhostrestclients

kavya.sai · February 7, 2019, 11:56am

Is there any way to renew bearer token using atlassianhostrestclients. Because in developer environment I can re-install my App but for user it should not cause 401: bearer token expired error

kkercz · February 7, 2019, 12:38pm

Hi, @kavya.sai,

There is a REST API to refresh tokens, described here: https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/#frequently-asked-questions

Best regards,
Krzysztof

epehrson · February 7, 2019, 4:47pm

@kavya.sai, I take it that you are using AtlassianHostRestClients from atlassian-connect-spring-boot with the JWT Bearer token authorization grant type for OAuth 2.0.

Normally, if an access token has expired, OAuth2RestTemplate will simply fetch a new one (see getAccessToken.

So I assume that you are experiencing clock drift, where the server running your app is chronologically behind Atlassian’s servers, resulting in your app thinking the access token is still valid, whereas the Atlassian product rejects it as expired. The clock drift is likely something you should try to fix, but I can also suggest workarounds for you to use. (There is also an open feature request in spring-security-oauth for this functionality.)

If, at the time of using OAuth2RestTemplate, you want to force the retrieval of a new access token, you can simply call oAuth2RestTemplate.getOAuth2ClientContext().setAccessToken(null).

A more elegant solution could be to invalidate access tokens with a ClientHttpRequestInterceptor:

@Bean
public RestTemplateCustomizer clockSkewAwareAccessTokenInvalidator() {
    return restTemplate -> {
        if (restTemplate instanceof OAuth2RestTemplate) {
            restTemplate.getInterceptors().add((httpRequest, body, execution) -> {
                if (((OAuth2RestTemplate)restTemplate).getAccessToken().getExpiresIn() < 60) {
                    throw new InvalidTokenException("Invalidating access token due to clock skew");
                }
                return execution.execute(httpRequest, body);
            });
        }
    };
}

kavya.sai · February 8, 2019, 5:45am

Thanku @epehrson
I mentioned @IgnoreJwt for my controller class , that was the culprit. As you said AtlssianHostRestClients does everything .
Can I access rest/agile/1.0/example with AtlassianhostRestClients? I think no because it supports only rest/api/3.0/sample

epehrson · February 8, 2019, 10:40am

@kavya.sai, I’m not sure how @IgnoreJwt could lead you to see an error for an expired Bearer token. I would still look into the possibility of clock drift, if I were you.

Are you asking if your Connect app can access Jira Software REST API? Of course, just make sure your app installation has the scope required for the endpoint.