Getting 401 unauthorised status code when user update/reinstall app in jira

VikasAgarwal · January 23, 2024, 12:56pm

We are using Spring Boot version 1.4.2 RELEASE and Atlassian Connect Spring Boot version 1.3.1 for our app. We are facing issues in the update/reinstall lifecycle events. When a user installs our app for the first time (we are doing installation using descriptor.currently, our app is not public on the marketplace), the process is completed successfully. During this process, our server receives data such as the client key, public key, base URL, shared secret, etc., and it is stored in our database by Atlassian Connect Spring Boot.

Now, when a user tries to reinstall or update our app, according to Atlassian docs, a new shared secret is created, and we have to store it in our database. During this process, Atlassian calls a POST API on the route ‘/installed’ on our server, and we should receive an event on the AddonInstalledEvent listener. However, the problem is that before getting the event on the event listener, Atlassian Connect Spring Boot authenticates the request and may try to authenticate it using the older shared secret stored in our database. Due to this, the POST API request is rejected with a 401 unauthorized status code, and we do not receive the event with the new shared secret. If we could receive the event, we could update the shared secret in our database and sync it with Atlassian.

I am attaching logs of our server with debug-level logging for your understanding. How can we solve this issue? Any suggestions would be appreciated.

2024-01-18 16:05:11.169 DEBUG 32629 --- [0.0-8080-exec-8] o.a.coyote.http11.Http11InputBuffer      : Received [POST /installed HTTP/1.1
Host: 4c55-120-72-93-82.ngrok-free.app
<POST request object with all data related to client like publickey,shared secret, baseurl, client key etc>

....

2024-01-18 16:05:11.170 DEBUG 32629 --- [0.0-8080-exec-8] o.a.c.authenticator.AuthenticatorBase    : Security checking request POST /installed
2024-01-18 16:05:11.170 DEBUG 32629 --- [0.0-8080-exec-8] org.apache.catalina.realm.RealmBase      :   No applicable constraints defined
2024-01-18 16:05:11.170 DEBUG 32629 --- [0.0-8080-exec-8] o.a.c.authenticator.AuthenticatorBase    :  Not subject to any constraint
2024-01-18 16:05:11.170 DEBUG 32629 --- [0.0-8080-exec-8] org.apache.tomcat.util.http.Parameters   : Set encoding to UTF-8
2024-01-18 16:05:11.170 DEBUG 32629 --- [0.0-8080-exec-8] o.s.b.w.f.OrderedRequestContextFilter    : Bound request context to thread: org.apache.catalina.connector.RequestFacade@392198fe
2024-01-18 16:05:11.170 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/css/**']
2024-01-18 16:05:11.170 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/installed'; against '/css/**'
2024-01-18 16:05:11.170 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/js/**']
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/installed'; against '/js/**'
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/images/**']
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/installed'; against '/images/**'
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/webjars/**']
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/installed'; against '/webjars/**'
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/**/favicon.ico']
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/installed'; against '/**/favicon.ico'
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/error']
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/installed'; against '/error'
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/installed'; against '/manage/**'
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/manage']
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/installed'; against '/manage'
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.security.web.FilterChainProxy        : /installed has no matching filters
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] c.a.c.s.i.a.jwt.JwtAuthenticationFilter  : Retrieved JWT from request
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] o.s.s.authentication.ProviderManager     : Authentication attempt using com.atlassian.connect.spring.internal.auth.jwt.JwtAuthenticationProvider
2024-01-18 16:05:11.171 DEBUG 32629 --- [0.0-8080-exec-8] c.a.c.s.i.a.j.JwtAuthenticationProvider  : Parsed JWT: {<Here is Payload of JWT Token>}

<Some Database call logs>
....

2024-01-18 16:05:11.193 DEBUG 32629 --- [0.0-8080-exec-8] c.a.c.s.i.a.j.JwtAuthenticationProvider  : Canonical request for incoming JWT: CanonicalHttpServletRequest[method=POST,relativePath=/installed,parameterMap=[]]
2024-01-18 16:05:11.194 ERROR 32629 --- [0.0-8080-exec-8] c.a.c.s.i.a.j.JwtAuthenticationProvider  : JWT signature verification failed
2024-01-18 16:05:11.194 DEBUG 32629 --- [0.0-8080-exec-8] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Thu Jan 18 16:05:11 IST 2024, principal=, type=AUTHENTICATION_FAILURE, data={type=org.springframework.security.authentication.BadCredentialsException, message=JWT signature verification failed}]
2024-01-18 16:05:11.194 DEBUG 32629 --- [0.0-8080-exec-8] .a.SimpleUrlAuthenticationFailureHandler : Forwarding to /error

Eventlistner code for reference

@EventListener
public void addonInstalled(AddonInstalledEvent event) {
	try {
		// <Here we want to implement shared secreat update logic for syncing shared secret with atlassian) 
	} catch (Exception e) {
		LOGGER.error("Error" + e.getMessage());
	}
}

cmacneill · January 23, 2024, 11:38pm

If I understand correctly you are using a version of Atlassian Connect Spring Boot released 6 years ago. At that time installs were signed with the secret from the previous installation.

Today, Connect app installs are signed with an asymmetric key which apps are expected to confirm with the Connect install key server. This eliminates a lot of issues that used to occur previously, mostly loss of secret synchronization between Connect and the app.

Your version of Spring Boot was also EOLd some time ago (https://spring.io/blog/2018/07/30/spring-boot-1-x-eol-aug-1st-2019/)

Are you able to upgrade to a more recent version of Atlassian Connect Spring Boot? It will require you to move to Spring Boot 3.