Rejected request for invalid qsh (Expecting claim 'qsh' to have value 'abc' but instead it has the value 'xyz')

MohanKanawade · December 21, 2021, 1:19pm

We have a connect plugin with Spring-Boot.
In that, we are using user_deleted webhook. If any user is removed from Jira then the request comes in our AuthenticationFilter & there we are validating the Qsh then found below logs,

2021-12-21 12:31:59.036 DEBUG 4164 --- [nio-8080-exec-7] c.a.c.s.i.a.jwt.JwtAuthenticationFilter  : Retrieved JWT from request
2021-12-21 12:31:59.037 DEBUG 4164 --- [nio-8080-exec-7] .a.AbstractConnectAuthenticationProvider : Parsed JWT: {"qsh":"f5d3b9d954967e52faf1e08b9a96a778ba5b618b60d1a3adf7c059aa9a4328dd","iss":"69e9775b-bc59-3213-8237-945b4bbeedbb","context":{},"exp":1640071014,"iat":1640070114}
2021-12-21 12:31:59.047 DEBUG 4164 --- [nio-8080-exec-7] .a.AbstractConnectAuthenticationProvider : Verified JWT for host https://mylocalcloudsite.atlassian.net (69e9775b-bc59-3213-8237-945b4bbeedbb) 
2021-12-21 12:31:59.047 DEBUG 4164 --- [nio-8080-exec-7] .a.AbstractConnectAuthenticationProvider : Canonical request for incoming JWT: [CanonicalHttpServletRequest@d5acce9 method = 'POST', relativePath = '/rest/<our_path>/latest/webhook/user/delete/557058%3A451a768c-4a2d-4f96-aad2-4427a9505b6e', parameterMap = '[lic -> (none),]']
2021-12-21 12:34:01.305  INFO 4164 --- [nio-8080-exec-7] c.a.a.c.r.f.AuthPrincipalValidatorImpl   : Rejected request for invalid qsh (Expecting claim 'qsh' to have value '85d4c17771b60a35c3521d5e6c3d1cff0ed94dbf69d05328dd1f356376ee0de3' but instead it has the value 'f5d3b9d954967e52faf1e08b9a96a778ba5b618b60d1a3adf7c059aa9a4328dd')
2021-12-21 12:34:01.305  INFO 4164 --- [nio-8080-exec-7] c.a.a.c.r.filter.AuthenticationFilter    : Rejected incoming request for controller requiring valid qsh (POST /rest/<our_path>/latest/webhook/user/delete/557058%3A451a768c-4a2d-4f96-aad2-4427a9505b6e)

In atlassian-connect.json contains the following authentication entry:

"authentication": {
    "type": "jwt"
  },
  "apiMigrations": {
    "gdpr": true,
    "context-qsh": true,
    "signed-install": true
  },

We are using Atlassian Connect Spring Boot 2.4.5 & atlassian-connect-spring-boot.version 2.2.3
Same setup are working with other webhooks(user_updated/jira:issue_created/jira:issue_updated …etc)
How we can fix this?

Thanks,
Mohan

jrichards · February 3, 2022, 4:54am

Hi @MohanKanawade,

Just checking in on this, I haven’t had a go at reproducing it yet but is this still an issue with ACSB 2.2.6?

Also what do you mean by

Atlassian Connect Spring Boot 2.4.5 & atlassian-connect-spring-boot.version 2.2.3

Regards,
James.

MohanKanawade · February 3, 2022, 5:13am

Thanks, @jrichards, the user_deleted webhook is working on our side now. We didn’t do any changes, it worked automatically.

Regards,
Mohan.