Unauthorized_client on Bearer token request

Hi,
I’m trying to get Bearer token for user, but when i send request signed with SharedSecret that i got on installation handshake i get this response:

{
    "error": "unauthorized_client",
    "error_description": "The authenticated client is not authorized to use this authorization grant type"
}

So i can’t understand what i’m doing wrong.

Have you been introduced to the wonderful world of query string hash?
You may want to read up on this https://developer.atlassian.com/cloud/jira/platform/understanding-jwt/#manually-creating-a-jwt

You can use this tool to validate the QSH that you have created: http://jwt-decoder.herokuapp.com/jwt/decode

Yes, i know about QSH, but looks like this request doesn’t require it, here’s some source code i found in linked to documentation project:

 byte[] payload = Arrays.asList(
                "{   `iss`: `urn:atlassian:connect:clientid:" + clientId + "`,",
                "    `sub`: `urn:atlassian:connect:userkey:" + userKey + "`,",
                "    `tnt`: `" + instanceBaseUrl + "`,",
                "    `aud`: `" + AUTHORIZATION_SERVER_URL + "`,",
                "    `iat`: " + now + ",",
                "    `exp`: " + exp + "    }"

I was practicing this request in online tool for sending http requests with jwt token that my app generates and it was working, but now some issue appeared (that was another app, so i could do some things in other way).

I just noticed the actual error message when scrolling the error code. It seems to indicate that Bearer token authentication is not allowed for this endpoint. Can you share the details on which API endpoint you are trying to connect with?

I’m trying to send POST request on “https://auth.atlassian.io/oauth2/token” with payload like this:

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&scope=ACT_AS_USER&assertion={MyToken}

I’m a bit confused now :slight_smile:
The token service (https://auth.atlassian.io/oauth2/token) is meant to be used during a OAuth2 / 3LO handshake proces where you exchange the token you receive in the callback for an actual access token.

The SharedSecret you are referring to is part of the Atlassian Connect authentication flow, which is provided by Atlassian after installation of an Connect app in a Cloud instance. You do not need the token service for Atlassian Connect apps.

Is it correct that you are trying to get a JWT for a specific user / service account to make calls to the instance rest API for your Connect app?

Yes i’m trying to get token for each user to send requests for Jira as user. Currently my app is getting user data from Jira when user clicks on some links or just loads the page, with that data i find clientAuthID and build payload like in code in example:
https://bitbucket.org/atlassian/atlassian-oauth2-samples/src/master/java/OAuthTokenGetter.java

My payload is preaty similar to that (i’m using .Net framework)

            payload.Add("is", "urn:atlassian:connect:clientid:" + customer.OauthClientId);
            payload.Add("sub", "urn:atlassian:connect:userkey:" + user.UserName);
            payload.Add("tnt", customer.BaseUrl);
            payload.Add("aud", authUrl);
            payload.Add("iat", DateTime.Now.GetIat());
            payload.Add("exp", DateTime.Now.GetExp(30));

And it looks like it accepts token that i create, because when i change some property-name in payload error message says about property not found.

UserName is “admin” in this case.

Edit:
This is how my JWT looks:
Capture

Sorry, I really need a bit more contextual information to be able to help you here. Can you please tell me:

  1. This is an Atlassian Connect app that is installed by users in Jira?
  2. Upon installation, you have configured the post install hook in atlassian-connect.json and store the payload (incl. SharedSecret, instance URL and clientKey) in your database?
  3. Is the user interacting with your app (via a web item?) and/or loading a page / panel from your server? Or are you trying to access the Jira API from a background worker (no user interaction).

If the user is interacting with your app, you will get a JWT from Jira which you can use to connect to the Jira API, or, even better, you can use AP.request() to make the request for you without having to think about authentication.

If you are trying to connect to the Jira API from a background worker and using either the app service account or impersonation, you will need to construct your own JWT using the clientKey, instance URL, SharedSecret and a proper query string hash.

Can you also tell me which API endpoint you are trying to connect to?

Have you looked at https://developer.atlassian.com/cloud/jira/platform/understanding-jwt/

The example provided by atlassian looks like this:

{
    "iss": "jira:1234567",
    "iat": 1300819370,
    "exp": 1300819380,
    "qsh": "8063ff4ca1e41df7bc90c8ab6d0f6207d491cf6dad7c66ea797b4614b71922e9",
    "sub": "mia",
    "context": {
        "user": {
            "accountId": "123456:1234abcd-1234-abcd-1234-1234abcd1234",
            "userKey": "mia",
            "username": "mkrystof",
            "displayName": "Mia Krystof"
        }
    }
}

I’ve looked through error message and remembered that i was changing atlassian-connect file today for some DB testing… I noticed now that i deleted Act_as_a_user scope and got in funny situation when i have oauthClientID value in data base, but my app is not authorized.

Now i returned it and i got my token…

1 Like