We have a connect plugin with Spring-Boot.
In that, we are using user_deleted webhook. If any user is removed from Jira then the request comes in our AuthenticationFilter & there we are validating the Qsh then found below logs,
2021-12-21 12:31:59.036 DEBUG 4164 --- [nio-8080-exec-7] c.a.c.s.i.a.jwt.JwtAuthenticationFilter : Retrieved JWT from request
2021-12-21 12:31:59.037 DEBUG 4164 --- [nio-8080-exec-7] .a.AbstractConnectAuthenticationProvider : Parsed JWT: {"qsh":"f5d3b9d954967e52faf1e08b9a96a778ba5b618b60d1a3adf7c059aa9a4328dd","iss":"69e9775b-bc59-3213-8237-945b4bbeedbb","context":{},"exp":1640071014,"iat":1640070114}
2021-12-21 12:31:59.047 DEBUG 4164 --- [nio-8080-exec-7] .a.AbstractConnectAuthenticationProvider : Verified JWT for host https://mylocalcloudsite.atlassian.net (69e9775b-bc59-3213-8237-945b4bbeedbb)
2021-12-21 12:31:59.047 DEBUG 4164 --- [nio-8080-exec-7] .a.AbstractConnectAuthenticationProvider : Canonical request for incoming JWT: [CanonicalHttpServletRequest@d5acce9 method = 'POST', relativePath = '/rest/<our_path>/latest/webhook/user/delete/557058%3A451a768c-4a2d-4f96-aad2-4427a9505b6e', parameterMap = '[lic -> (none),]']
2021-12-21 12:34:01.305 INFO 4164 --- [nio-8080-exec-7] c.a.a.c.r.f.AuthPrincipalValidatorImpl : Rejected request for invalid qsh (Expecting claim 'qsh' to have value '85d4c17771b60a35c3521d5e6c3d1cff0ed94dbf69d05328dd1f356376ee0de3' but instead it has the value 'f5d3b9d954967e52faf1e08b9a96a778ba5b618b60d1a3adf7c059aa9a4328dd')
2021-12-21 12:34:01.305 INFO 4164 --- [nio-8080-exec-7] c.a.a.c.r.filter.AuthenticationFilter : Rejected incoming request for controller requiring valid qsh (POST /rest/<our_path>/latest/webhook/user/delete/557058%3A451a768c-4a2d-4f96-aad2-4427a9505b6e)
In atlassian-connect.json contains the following authentication entry:
"authentication": {
"type": "jwt"
},
"apiMigrations": {
"gdpr": true,
"context-qsh": true,
"signed-install": true
},
We are using Atlassian Connect Spring Boot 2.4.5 & atlassian-connect-spring-boot.version 2.2.3
Same setup are working with other webhooks(user_updated/jira:issue_created/jira:issue_updated …etc)
How we can fix this?
Thanks,
Mohan