Internal Server Error when requesting an OAuth 2.0 access token via webapp

PeterHansen · August 18, 2022, 12:03pm

Hello dear community,

I am trying to implement the OAuth 2.0 dance in a (javascript) webapp and followed the official instructions, but the access token request fails due to an internal server error:

The first step with the request of an authorization code works and I am redirected back to the webapp after confirmation via the consent screen. The code query parameter is included in the URL.
If I now want to perform the second step to request an access token, the server responds with a 500 Internal Server Error with the error message:
The server could not perform this operation - please check application logs.

The request is as follows:

const data = {
    client_id: 'XXX',
    client_secret: 'XXX',
    grant_type: 'authorization_code',
    code: 'XXX',
    code_verifier: 'XXX'
};

this.http.post<JiraOAuth2Token>(
    'https://xxx.xx/rest/oauth2/latest/token', 
    data, 
    {
        headers: new HttpHeaders({
            'content-type': 'application/json',
        })
    }
);

We are using Jira 8.22.3 and I have looked in every log file I could find, but only the access_log shows the request sent.
Shouldn’t a 500 error appear in the atlassian-jira.log with more details?

RoryArmstrong · August 22, 2022, 6:49pm

Hi Peter,

this.http.post<JiraOAuth2Token>(
    'https://xxx.xx/rest/oauth2/latest/token', 
    data, 
    {
        headers: new HttpHeaders({
            'content-type': 'application/json',
        })
    }
);

I think it’s because this is sending the token request parameters as a json object rather than query parameters:
curl -X POST https://atlassian.example.com/rest/oauth2/latest/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&code=CODE&grant_type=authorization_code&redirect_uri=REDIRECT_URI&code_verifier=CODE_VERIFIER

So here it might need to look something like (I’m guessing this is angular http so double check on your side):

this.http.post<JiraOAuth2Token>(
    'https://xxx.xx/rest/oauth2/latest/token', 
    'client_id=XXX&client_secret=XXX&grant_type=authorization_code&code=XXX&code_verifier=XXX'
    {
        headers: new HttpHeaders({
            'content-type': 'application/x-www-form-urlencoded',
        })
    }
);

PeterHansen · August 23, 2022, 7:39am

Thank you very much, Rory,
setting the content-type to x-www-form-urlencoded does the trick.

Here is the corrected Angular code for those interested:

const body = new URLSearchParams(data);
this.http.post<JiraOAuth2Token>(
    'https://xxx.xx/rest/oauth2/latest/token', 
    body.toString(), 
    {
        headers: new HttpHeaders({
            'content-type': 'application/x-www-form-urlencoded',
        })
    }
);