OAuth2 app - "Something went wrong" when trying to request permissions from user

Apologies in advance for mangled URLs, but “new users can only put 2 links in a post.”

I’m trying to generate a token for an OAuth2 app on Jira. I’ve set up a server at localhost that’s going to be the Client, and I’m trying to grant myself a token. However, I never get to the part where Jira confirms that the user wants to grant permissions to the app.

When my browser hits my server, I redirect it to this URL:

If I’m not logged in, I’m asked to log in first. Either way, I get a “Something went wrong” page with no further details.

I can tell from Chrome’s network tab that it’s hitting these routes, in order:
id.atlassian dot com/oidc/oauth/authorize
auth.atlassian dot com/login
auth.atlassian dot com/login/callback
api.atlassian dot com/oauth2/authorize/consent

… and that’s where it dies and gives me the error. I really don’t have anything to work with here, or I could probably resolve the issue myself. I’ve previously done OAuth2 apps on a few other sites (including Bitbucket), so I’m pretty confident that I’m handling all the basics. However, my prior experience with Bitbucket’s API suggests that there’s probably a critical, totally-undocumented piece of “Atlassian magic” that is assumed to be there, and breaks everything when it’s missing. This could be a particular header, cookie, what-have-you. I’m almost positive that my issue is something like that, but I don’t know what it might be.

I’ve gone through the bizarre process of registering the scopes at Log in with Atlassian account even though hypothetically I should be able to granularly request the scopes my app needs on a user-by-user basis, but that didn’t seem to help. Naturally, my app also has a callback URL registered that matches what I’m providing in the query string.

Does anyone have any suggestions?

For anyone finding this in the future, here’s the biggest things you need to worry about:

• OAuth2 apps are private by default. You probably thought you could just read the docs on “Implementing OAuth 2.0 (3LO)”, right? Wrong. Move on and read the docs about publishing your app even though you don’t want to yet. It explains that other accounts can’t use your app. When you try to test this with 2+ accounts, 1+ of them will inevitably fail, and the error explains absolutely nothing. You can only test with the account that owns the app until you get published.
• OAuth2 apps must pre-specify all the scopes they might need, except for “offline_access”. If you poke around the web interface you will find a place where you can turn on products and then toggle on specific scopes. There is no way to just see the scopes and pick which ones you want, you will have to dig around to find what things correspond to which scopes you found out you need from the docs. If any scope is requested that wasn’t pre-configured in this way (other than “offline_access”), the request will fail, although the failure isn’t completely helpful this time.

In case you’re wondering, the reason you’ve never heard of the “offline_access” scope is because you only read the pages linked from the section titled “Determining the required scopes for an API operation”. Ha! If only it were that simple. “Fequently asked questions” at the very bottom of the OAuth2 docs is the only place to find out about “offline_access”. Also, it’s the only scope that uses an underscore instead of hyphens, so watch out for typos.