We are currently facing a critical blocker during the migration of our SAML and OAuth SSO plugin for Crowd to version 7.0.0-EAP03.
As part of the migration process, we have updated our implementation to replace the deprecated class com.atlassian.crowd.manager.TokenAuthenticationManager with the new com.atlassian.crowd.service.authentication.CrowdApplicationAuthenticationService, as recommended.
However, we are encountering severe OSGi-related access issues, specifically:
com.atlassian.crowd.service.authentication.CrowdApplicationAuthenticationService and other classes under com.atlassian.crowd.service are inaccessible from within the plugin due to OSGi restrictions (e.g., ClassNotFoundException, package access violations).
Similar issues are observed with other critical components required for our SSO functionality:
This is completely blocking our ability to proceed with the migration, as these APIs are essential to enabling secure and seamless SSO into Atlassian products via Crowd.
Given that our plugin is used by multiple enterprise customers, including those in large-scale production environments, the inability to support Crowd 7.0 due to OSGi restrictions has serious implications:
We appreciate your immediate attention to this matter and look forward to your direction so we can continue supporting Crowd 7.0 in a secure and compatible manner.
We just released an on-demand EAP 05 version - with the com.atlassian.crowd.service.authentication.CrowdApplicationAuthenticationService class publicly exposed.
We believe this should allow you to use authentication functionality in your plugin.
Thank you for sharing the Crowd 7.0.0-EAP05 release.
While testing our Crowd plugin against this version, we encountered the following issue
Caused by: java.lang.NoClassDefFoundError: com/atlassian/crowd/service/authentication/CrowdApplicationAuthenticationService
...
Caused by: java.lang.ClassNotFoundException: com.atlassian.crowd.service.authentication.CrowdApplicationAuthenticationService not found
It appears that CrowdApplicationAuthenticationService is still not available for OSGI export.
Also, in our use case, we need to authenticate users in the context of a specific application (not necessarily the “crowd” application), and the currently available authenticate() method in CrowdApplicationAuthenticationService appears to enforce authentication only for the “crowd” application itself, which is generally used by Crowd Admin, not by end users.
We also couldn’t find a suitable replacement for the previously available authenticateUserWithoutValidatingPassword method in com.atlassian.crowd.manager.authentication.TokenAuthenticationManager.
Could you please confirm:
Whether CrowdApplicationAuthenticationService (or similar) will be re-exported in the final 7.0 release?
If not, is there an updated approach for application-scoped authentication that doesn’t rely on the Crowd application’s access rules?
We’d appreciate guidance on how to handle application-specific tokens or SAML-based authentication in 7.0+.
Thank you for the update and for accommodating our request.
We’ve tested Crowd 7.0.0 EAP 06, and everything appears to be working as expected. We’ll continue our validation to ensure full compatibility with Crowd v7 and will reach out if we encounter any issues or need further assistance.