HTTP 401 when accessing some JIRA REST endpoints using JWT Bearer token

Hi,

I am using JWT Bearer tokens to access JIRA REST API in my cloud add-on: https://developer.atlassian.com/static/connect/docs/beta/concepts/OAuth2-JWT-Bearer-Token-Authentication.html

I can successfully get an access token from https://auth.atlassian.io and I can use it to access some endpoints but not others. E.g. these are working:

  • /rest/api/2/configuration
  • /rest/api/2/search

But this is not (returns HTTP 401):

  • /rest/api/2/permissions

My addon’s permissions are:

 "scopes": [
    "ADMIN",
    "ACT_AS_USER"
  ]

These are the claims I set for the authentication service:

return jwtTokenGenerator.generate(PluginConstants.ATLASSIAN_AUTH_SERVER_TOKEN_PATH, HttpMethod.POST, (queryHash, documentRenderingRequest) -> {
						long iat = System.currentTimeMillis() / 1000;
						return new JwtBuilder()
								.issuedAt(iat)
								.expirationTime(iat + 60L)
								.issuer("urn:atlassian:connect:clientid:" + documentRenderingRequest.getOauthClientId())
								.subject("urn:atlassian:connect:userkey:" + documentRenderingRequest.getUserKey())
								.audience(PluginConstants.ATLASSIAN_AUTH_SERVER)
								.claim("tnt", config.getBaseUrl())
								.queryHash(queryHash)
								.signature(config.getSharedSecret());
					});

And the code I use to contact the authentication service:

private static String JWT_BEARER_URN = "urn:ietf:params:oauth:grant-type:jwt-bearer";
...
HttpClient httpClient = HttpClients.createDefault();
		HttpPost httpPost = new HttpPost(PluginConstants.ATLASSIAN_AUTH_SERVER + PluginConstants.ATLASSIAN_AUTH_SERVER_TOKEN_PATH);
		httpPost.setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE);
		HttpEntity entity = new StringEntity(String.format("grant_type=%s&assertion=%s", JWT_BEARER_URN, assertionToken));
		httpPost.setEntity(entity);

Am I missing something?

Thanks in advance.

1 Like

Let’s start by eliminating a couple of possible causes:

Are you adding the Authorization header to your request to the JIRA instance?

Authorization: Bearer {your-access-token}

Can you confirm that the JIRA user on whose behalf the request is being made is a JIRA Administrator? The /rest/api/2/permissions end-point is supposed to return 403 if the user is not an administrator, but maybe it returns 401 instead.

Another thought: do you really need to use JWT Bearer token authorization grant type to access the /rest/api/2/permissions end-point? Why not use a normal JWT request?

Hi,

Yes, the header is correct (I am logging it to the console).
There is one user in my cloud developer account, “admin”. Running the code against /rest/api/2/myself returns:

{
  "self": "https://XXX.atlassian.net/rest/api/2/user?username=admin",
  "key": "admin",
  "name": "admin",
  "emailAddress": "XXX@XXX.com",
  "avatarUrls": {
    "16x16": "https://secure.gravatar.com/avatar/641c29f84f0373fa791efbe7c62e5626?d=mm&s=16",
    "24x24": "https://secure.gravatar.com/avatar/641c29f84f0373fa791efbe7c62e5626?d=mm&s=24",
    "32x32": "https://secure.gravatar.com/avatar/641c29f84f0373fa791efbe7c62e5626?d=mm&s=32",
    "48x48": "https://secure.gravatar.com/avatar/641c29f84f0373fa791efbe7c62e5626?d=mm&s=48"
  },
  "displayName": "Gábor [Administrator]",
  "active": true,
  "timeZone": "Europe/Berlin",
  "locale": "en_US",
  "groups": {
    "size": 4,
    "items": []
  },
  "applicationRoles": {
    "size": 3,
    "items": []
  },
  "expand": "groups,applicationRoles"
}

That’s a good idea. I ran some quick tests with a JWT header and token instead of a Bearer but still no success:

  1. /rest/api/2/configuration successfully returns:
    {"votingEnabled":true,"watchingEnabled":true,"unassignedIssuesAllowed":true,"subTasksEnabled":true,"issueLinkingEnabled":true,"timeTrackingEnabled":true,"attachmentsEnabled":true,"timeTrackingConfiguration":{"workingHoursPerDay":8.0,"workingDaysPerWeek":5.0,"timeFormat":"pretty","defaultUnit":"minute"}}
  2. But if I change the URL (and nothing else) to /rest/api/2/settings/columns, I get a 403 Forbidden response.

When I am logged in as admin in my browser, the exact same URL works perfectly.

Please check that the JIRA user representing your add-on has JIRA Administrator permission. For example, in our test server we have this:

…and if you click on View Users, you see that the Risk Register add-on is a member of that group:

Hi David,

Thanks for your hint! I checked and it seems to be correct, my add-on is listed there:

So I will keep investigating…

Do you get any kind of error message in the body of the response?

The body contains an HTML page, this is the relevant part:

<section class="aui-page-panel-content">
                    <header class="aui-page-header"><div class="aui-page-header-inner">
                            <div class="aui-page-header-main">
                                    <h1>Forbidden (403)</h1>
                                </div><!-- .aui-page-header-main -->
                        </div><!-- .aui-page-header-inner --></header><!-- .aui-page-header -->
                    <div class="aui-message aui-message-warning warning">
                            <p>Encountered a <code>&quot;403 - Forbidden&quot;</code> error while loading this page.</p>
                            <p><a href="/secure/MyJiraHome.jspa">Go to JIRA home</a></p>
                        </div>
                </section><!-- .aui-page-panel-content -->

Not sure it will solve the problem, but please try again with the following header in your request:

Accept: application/json

Same results :frowning:

I am facing the same issue. Has this been resolved?