Empty projects list + Crowd integration + unhandled expiring token

Hello all,
While developing our Jira integration to create issues using the Rest API, we have noticed that some of our clients were having troubles, they were getting an empty projects list from the API.
We are using cookie based authentication !
After some inspections, it turns out that those clients are using Crowd to manage SSO.
We have deployed a quick fix to gather Crowd token and sends it with the requests and it worked, but as soon as the token expires Jira returns a 422 Unprocessable Entity while in fact it’s an authorization problem.
I also noticed that if I include the Jira session gathered from the rest API, and the Crowd token in the headers, the create issue will work correctly even if the Crowd token has expired, but will stop working if the Jira session expires too, and will also returns an 422 status code which is not correct.
Am I missing something ?
Thanks for your help

1 Like

My guess is that it’s something to do with the session management within JIRA. Have you seen the stack trace from the atlassian-jira.log when you’re getting the 422 response? That would probably tell you more about what’s going on.

Not sure how your integration is working (i.e. server to server or browser to server). Have you thought about either:

Creating your own rest resource with your own authentication schema (not the best since you’d have have a secret or something to identify the integrity of users) and use it to create the issues?
Or
Switching to oauth to handle the user flow: https://developer.atlassian.com/jiradev/jira-apis/jira-rest-apis/jira-rest-api-tutorials/jira-rest-api-example-oauth-authentication (Assuming that this is a remote site)?

Might make life easier for you… Intercepting JIRA’s authentication system will probably mean more things to go bump in the night later…

1 Like

Hello Daniel,
Thanks for the reply, we are doing server to server integration, I will look at the logs, but cookie based authentication is one of the three official methods to login against Jira API as described here https://developer.atlassian.com/jiradev/jira-apis/jira-rest-apis/jira-rest-api-tutorials/jira-rest-api-example-cookie-based-authentication, that’s why I thought it could be a bug.
Anyway, thank you very much for the hint about the logs, I will let you guys know if I find a fix to my problem. :smiley:

1 Like