We're getting a lot of webhooks with expired JWT tokens

Just wanted to let you know, because we’re rejecting all webhooks with invalid JWT token so our customers are getting mad at us.

This is from multiple Jiras.

Happy to provide more details in a non-public forum.

Please open a DevHelp ticket here

1 Like

I have - we’re experiencing the same behaviour now… floods of requests from various Jira instances with expired JWT tokens.

Is this affecting anyone else?

We do get flooded with these as well. However, I don’t get customers complaining about those so it’s probably invisible to them.

I was working with another vendor on this problem last month. I became the bottleneck between the development team and the vendor and it didn’t get resolved. The development team was thinking this was potentially a browser issue. @jbevan and @yvesriel can you review your logs and let us know if this is coming from a common browser and share the agent header if you have it?


1 Like

The user agent we have in our logs is: “Atlassian HttpClient unknown / JIRA-1001.0.0-SNAPSHOT (100075) / Default”.

The requests I’m referring to here are all webhooks from Jira to our add-on service - not browser requests.

Not sure that I have that level of details in our logs but will check for sure.

@rwhitbeck, we have instrumented our log file to report the user agent and in the following 30 mins we got three “JWT::ExpiredSignature: Signature has expired” from 3 different IP, all with the same user agent

User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36

I’ve been seeing some expired JWT tokens too. They seem to be coming from the same Jira instances, over and over. Where did the resolution of this matter get up to? Is there a devhelp issue that I can sweat over?

Here’s a sample of what we’re seeing in our logs:

2020-02-25 01:07:12.158 risk-register-cloud risk-register-cloud:1.15.9 i-018c6a224f814d1cd              actions.AuthenticatedAction r-executor Failure during JWT verification
com.atlassian.jwt.exception.JwtExpiredException: Expired at Mon Feb 24 13:29:58 GMT 2020 and time is now Mon Feb 24 14:07:12 GMT 2020 (30 seconds leeway is allowed)
        at com.atlassian.jwt.core.reader.NimbusJwtReader.read(NimbusJwtReader.java:144)
        at com.atlassian.jwt.core.reader.NimbusJwtReader.readAndVerify(NimbusJwtReader.java:57)
        at actions.AuthenticatedAction.lambda$null$7(AuthenticatedAction.java:185)

2020-02-25 01:07:12.158 = local time at which log entry is made
2020-02-24 14:07:12.158 = UTC time at which log entry is made
Mon Feb 24 14:07:12 GMT 2020: the ‘now’ time in the JwtExpiredException
Mon Feb 24 13:29:58 GMT 2020: the JWT expiry time per the JwtExpiredException

So the JWT expired a little more than 30 minutes ago.

Is this still a problem for you, @yvesriel, @jbevan?

Not as far as I can see in the last 7 days

Still getting flood :frowning: