I am developing an Atlassian Connect add on. Upon receiving "installed" event my add on will create an issue type, and then set an avatar for it. The issue type is always created successfully, but the subsequent request for submitting the avatar returns 401 error. That request is executed fine with Basic Authentication, but Atlassian Connect add ons cannot use Basic Authentication of course. This error does not happen with local version of JIRA Cloud either. I think the reason is that the production version of JIRA Cloud uses Crowd, and the cookie called "studio.crowd.tokenkey" is only set for Basic Authentication requests.
Here is the sample cookie:
Could you confirm if this is a bug or not, and is there anyway to work around this situation? Thanks.
Community moderators have prevented the ability to post new answers.
Sorry about the delay in getting back to you, but I've managed to get it working. This particular REST endpoint is a tricky one to work with, because as you have discovered, it requires cookies to be preserved between requests. This is because it stores the temporary avatar against the current session.
However, I found that as long as you preserve the JSESSIONID cookie between the upload and the crop steps, it works. I did this by just taking the set-cookie header from the response to the upload and putting it in the cookie header for the crop. Here's a sample of my code in (ES2015) javascript (I used the atlassian-connect-express framework):
const ISSUE_TYPE_PATH = '/rest/api/2/issuetype/' const updateIssueType = co.wrap(function * (client, issueTypeId) { try { const logoData = yield fsp.readFile('marketplace/logo/logo.png') const avatarPostResult = yield client.post({ url: ISSUE_TYPE_PATH + issueTypeId + '/avatar/temporary?filename=logo.png', headers: { 'X-Atlassian-Token': 'no-check', 'Content-Type': 'image/png', 'Content-Length': logoData.length }, body: logoData }) const sessionCookie = avatarPostResult.headers['set-cookie'].filter(c => c.startsWith('JSESSIONID')).pop() const cropPostResult = yield client.post({ url: ISSUE_TYPE_PATH + issueTypeId + '/avatar', headers: { 'X-Atlassian-Token': 'no-check', 'Cookie': sessionCookie }, json: { "cropperWidth": 200, "cropperOffsetX": 50, "cropperOffsetY": 50, "url": "/secure/temporaryavatar?cropped=true", "needsCropping": true } }) yield client.put({ url: ISSUE_TYPE_PATH + issueTypeId, json: { description: 'more updated description', avatarId: cropPostResult.body.id } }) } catch (e) { console.error(e.body || e.statusCode || e) } })
I am sorry for submitting the same question on multiple places. I was a bit nervous because we need to have the add on ready before the upcoming Atlassian Summit.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
A 401 response means that either your add-on is not installed at the time of the request, the JWT was improperly constructed or that the request user lacks permissions.
NB: permissions != scopes.
Please:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks. Before setting the avatar, my add on has to create a new issue type. That request is always processed successfully. Besides, the whole flow (including setting the avatar) is also processed successfully with local version of JIRA Cloud. The add on has all scopes.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
But permissions != scopes, and insufficient permissions on the request user can result in a 401 response. One possibility is that the request user has permissions to create a new issue type but not to set the avatar. If you are sending this request in the browser then the request user is the browser user. If you are sending this request server-to-server then the request user is the add-on user. What do the JIRA logs show?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks. I added full permissions for the add on user ("addon_qspec") and still got a 401 response. I also made sure that the permission sets in JIRA Cloud and the local version of JIRA Cloud are the same. The response body is still "You are not authenticated. Authentication required to perform this operation". If it were because of permissions, I guest it should be 403. I guess one possible reason might be that JIRA Cloud uses Crowd in production, and it somehow prevents avatar API to function properly with JWT. Avatar API also uses cookie, which is different from other JIRA REST API. How can I retrieve my JIRA Cloud logs?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You will have to ask Cloud Support to help you get your JIRA Cloud logs.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
165.254.226.194 125.212.208.58 - [30/Sep/2015:15:07:00 +0700] "POST /rest/api/2/issuetype/10830/avatar/temporary?filename=icon&size=1863 HTTP/1.0" 401 77 4936 "-" "Apache-HttpClient/4.3.6 (java 1.5)" 165.254.226.194 125.212.208.58 - [30/Sep/2015:15:13:52 +0700] "POST /rest/api/2/issuetype/10830/avatar/temporary?filename=icon&size=1863 HTTP/1.0" 401 77 7409 "-" "Apache-HttpClient/4.3.6 (java 1.5)" 165.254.226.194 125.212.208.58 - [30/Sep/2015:15:14:15 +0700] "POST /rest/api/2/issuetype/10830/avatar/temporary?filename=icon&size=1863 HTTP/1.0" 401 77 8623 "-" "Apache-HttpClient/4.3.6 (java 1.5)" 165.254.226.194 125.212.208.58 - [30/Sep/2015:15:14:49 +0700] "POST /rest/api/2/issuetype/10830/avatar/temporary?filename=icon&size=1863 HTTP/1.0" 401 77 4985 "-" "Apache-HttpClient/4.3.6 (java 1.5)" That's all they got. I had tried different REST API requests, only avatar requests failed.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I can see that you also posted this question on the google group. Please follow nice etiquette and post in only one location. :) Atlassian Answers is the best place for technical questions like this.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You can see the REST API endpoints that work, with the related scopes, on the JIRA REST scopes page. Only whitelisted endpoints work via JWT authentication. Ensure you have the right scope for the HTTP action as well.
There is no way to get around this for Connect add-ons. You can create an issue via https://developer.atlassian.com/help#requests for JIRA REST API if you want additional endpoints added to the whitelist.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks. The endpoint I used is "/rest/api/2/issuetype/{id}/avatar". I think it should be sub-resources of "/rest/api/{version}/issuetype". In the document they stated that "Sub-resources are also available. For example, because /rest/api/2/issue is available, /rest/api/2/issue/{key}/comment is also available."
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If the endpoint is on the whitelist, then make sure you have the right scope for the HTTP verb in question. This should require ADMIN scope.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks. The add on has all scopes. I included more info here https://answers.atlassian.com/questions/30943650/answers/30944509/comments/30944626.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Community moderators have prevented the ability to post new answers.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.