OAuth setup help

MartinStrm · January 27, 2022, 11:13am

Issue :
Setting up OAuth on jira cloud for a specific user based on documentation online.

reproduce steps for our current setup:
steps 1-4 summary under the user we have created the OAuth app,

Step 5 We are not sure about the Callback URL (currently set to The jira CLOUD insance )

added API = Jira platform REST API–> read:jira-work

In the documentation step called “1–direct-the-user-to-the-authorization-url-to-get-an-authorization-code”

we have set the following: (the state option is unclear)

https://auth.atlassian.com/authorize&#63;
audience=api.atlassian.com&
client_id=dXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&
scope=read:jira-work&
redirect_uri=XXXXXX-jira.atlassian.net.&
state=YOUR_USER_BOUND_VALUE&
response_type=code&
prompt=consent

note:
The user is able to log in manually via web and see data.

Expected Outcome:
is able to make successful secure API calls e.g. via postman towards Cloud Instance with OAUTH

ibuchanan · January 27, 2022, 1:08pm

Welcome to the Atlassian developer community @MartinStrm,

The callback URL (aka the redirect_uri) is an essential part of the OAuth 2.0 authorization code flow. It cannot be your Jira instance. In a real OAuth 2.0 app, there would be a special path for accepting the authorization code and exchanging it for an authorization token. As the docs explain:

If successful, the user will be redirected to the app’s callback URL, with an authorization code provided as a query parameter called code . This code can be exchanged for an access token, as described in step 2.

When all you want to do is use Postman, then you have to make a “fake” callback URL and you will need to perform the code exchange as a manual step in Postman. You need a website that won’t strip URL parameters. I recommend using https://httpbin.org/anything. This value must be set in both the developer console and changed in your authorization request URL (what you provided as example). You will want to execute this URL in a browser, not Postman.

For your scenario, state really won’t matter. Whatever you provide, will be sent back to the callback URL. A real app should confirm this value, but you can do that by eye. Personally, I like to send a generated UUID4 when using simple HTTP clients like Postman, but any string will do.

Pro-tip: For Postman, I recommend using the offline_access and read:me scopes too. The offline_access will let you use a refresh token and will save some tedious steps. And read:me is just a useful way to check the user associated with your token (it can get confusing sometimes, even if you are the only one performing the “OAuth dance”).

astarovo · August 10, 2022, 9:12pm

I am experiencing the same issue, when trying to access Jira from the script, without a browser, and the final solution is still not clear.

Thank you for the suggestion of using httpbin/anything. At least I now know how to capture the code when I eventually reach the response from httpbin.

However, the problem remains: the step 1 of the instruction returns a java script that needs to be executed in the browser. We do not have a browser, but trying to close the loop automatically. Here is what I received after performing a call to “authorize?” URL with response_type=code, please see below. Where is the authentication code? I don’t see it in HTML, and I don’t see it in Header fields. Based on your response I hoped that the final GET will be from httpbin.org and the Body will include JSON with the code field.

RESPONSE 2 at 10-Aug-2022 16:18:28 - 10-Aug-2022 16:18:28 (0.011 sec)
HTTP/1.1 200 OK
Date: Wed, 10 Aug 2022 20:18:28 GMT
Content-Type: text/html; charset=utf-8
Server: globaledge-envoy
Vary: Accept-Encoding
Ot-Tracer-Spanid: 0c8bd996179a9ff3
Ot-Tracer-Traceid: 25462e9c1d3c5e96
Ot-Tracer-Sampled: true
Ot-Baggage-Auth0-Request-Id: 2028182-1660162708.805-44.199.69.122-1838-1239955730-1-0.000
Traceparent: 00-0c8bd996179a9ff3-000000000000000025462e9c1d3c5e96-01
Tracestate: auth0-request-id=2028182-1660162708.805-44.199.69.122-1838-1239955730-1-0.000
X-Auth0-Requestid: a2ce3d2d79de122727df
Set-Cookie: _csrf=u_jwXKiWDIONx4Uf1jYOPRBd; Max-Age=864000; Path=/usernamepassword/login; HttpOnly; Secure
X-Robots-Tag: noindex, nofollow
Referrer-Policy: same-origin
Cache-Control: no-store, max-age=0, no-transform
Pragma: no-cache
Etag: W/"17be-uU1NSZBfOL1kxKsvohnSUTCsxAs"
Content-Encoding: gzip
X-Envoy-Upstream-Service-Time: 197
Expect-Ct: report-uri=",,,", max-age=86400
Strict-Transport-Security: max-age=63072000; preload
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Atl-Traceid: 5b24f3cc395214ee
Report-To: {"group": "endpoint-1", "max_age": 600, "endpoints": [{"url": ",,,"}], "include_subdomains": true}
Nel: {"report_to": "endpoint-1", "max_age": 600, "include_subdomains": true, "failure_fraction": 0.001}
Transfer-Encoding: chunked

<!DOCTYPE html>
<html>
...
        <script>
            ...
        </script>
    </body>
</html>

ibuchanan · August 11, 2022, 1:37pm

@astarovo,

The OAuth 2.0 authorization code flow cannot be completed without a browser. The step to direct the user to the authorization URL to get an authorization code must be performed in a browser by the user who’s authorization is required. The authorize endpoint is not a REST API that returns the token directly.

In context of a script, you could send the authorization URL to the console, letting the user copy/paste to a browser. Then your script needs to wait for a manual entry of the authorization code, perhaps another copy/paste. Then your script can proceed without additional user intervention and using REST API endpoints.

That said, if the script is for your own environment, it would be much simpler to use an API token. At this time, we (Atlassian) have not implemented alternate authorization flows for OAuth that might better fit your headless scenario.

astarovo · August 11, 2022, 3:30pm

@ibuchanan
Ian,
Thanks so much for a quick reply!
If I may please ask a follow-up question.
I did try to open the “authorize?response_type=code” URL in the browser, and I am receiving “You don’t have an Atlassian Jira & User identity site” message from Atlassian side. The message does includes the correct name of my recently created app (in Developer console). My app is currently set to Distribution=Not sharing, because this is experimental work. Is there anything else I should do to get a usable consent prompt in the browser?

ibuchanan · August 12, 2022, 12:55pm

@astarovo,

It’s pretty difficult to troubleshoot problems like this without your full authorization URL, username, and site URL. Because the things we need contain personally identifiable information, it might be better if you open a developer support case.