Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Cannot set avatar for issue type using REST API with JWT

Hai
Hai September 29, 2015

I am developing an Atlassian Connect add on. Upon receiving "installed" event my add on will create an issue type, and then set an avatar for it. The issue type is always created successfully, but the subsequent request for submitting the avatar returns 401 error. That request is executed fine with Basic Authentication, but Atlassian Connect add ons cannot use Basic Authentication of course. This error does not happen with local version of JIRA Cloud either. I think the reason is that the production version of JIRA Cloud uses Crowd, and the cookie called "studio.crowd.tokenkey" is only set for Basic Authentication requests.

Here is the sample cookie:

  • For request using Basic Authentication: [[version: 0][name: JSESSIONID][value: 9E7A2C1C652BD329F9ECF3B5A7486480][domain: qasymphonyqa.atlassian.net][path: /][expiry: null], [version: 0][name: atlassian.xsrf.token][value: B5Q0-VIGQ-FIJR-ZWER|a1fb4cbfea34a11e32e1d4320ee97837fb327f3d|lin][domain: qasymphonyqa.atlassian.net][path: /][expiry: null], [version: 0][name: studio.crowd.tokenkey][value: thoz0D87lh01Easv161V6A00][domain: .qasymphonyqa.atlassian.net][path: /][expiry: null]]
  • For request using JWT: [[version: 0][name: JSESSIONID][value: A2BA48F9F3F7DF83552CE69B841C92F3][domain: qasymphonyqa.atlassian.net][path: /][expiry: null], [version: 0][name: atlassian.xsrf.token][value: B5Q0-VIGQ-FIJR-ZWER|99a455ca6a1743781b8cfb13b1075b4cd69528ed|lin][domain: qasymphonyqa.atlassian.net][path: /][expiry: null]]

Could you confirm if this is a bug or not, and is there anyway to work around this situation? Thanks.

Watch
Like # people like this
2231 views

6 answers

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

0 votes
James Hazelwood
James Hazelwood
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 6, 2015

Sorry about the delay in getting back to you, but I've managed to get it working. This particular REST endpoint is a tricky one to work with, because as you have discovered, it requires cookies to be preserved between requests. This is because it stores the temporary avatar against the current session.

However, I found that as long as you preserve the JSESSIONID cookie between the upload and the crop steps, it works. I did this by just taking the set-cookie header from the response to the upload and putting it in the cookie header for the crop. Here's a sample of my code in (ES2015) javascript (I used the atlassian-connect-express framework):

 

const ISSUE_TYPE_PATH = '/rest/api/2/issuetype/'
const updateIssueType = co.wrap(function * (client, issueTypeId) {
  try {
    const logoData = yield fsp.readFile('marketplace/logo/logo.png')
    const avatarPostResult = yield client.post({
      url: ISSUE_TYPE_PATH + issueTypeId + '/avatar/temporary?filename=logo.png',
      headers: {
        'X-Atlassian-Token': 'no-check',
        'Content-Type': 'image/png',
        'Content-Length': logoData.length
      },
      body: logoData
    })
    const sessionCookie = avatarPostResult.headers['set-cookie'].filter(c => c.startsWith('JSESSIONID')).pop()
    const cropPostResult = yield client.post({
      url: ISSUE_TYPE_PATH + issueTypeId + '/avatar',
      headers: {
        'X-Atlassian-Token': 'no-check',
        'Cookie': sessionCookie
      },
      json: {
        "cropperWidth": 200,
        "cropperOffsetX": 50,
        "cropperOffsetY": 50,
        "url": "/secure/temporaryavatar?cropped=true",
        "needsCropping": true
      }
    })
    yield client.put({
      url: ISSUE_TYPE_PATH + issueTypeId,
      json: {
        description: 'more updated description',
        avatarId: cropPostResult.body.id
      }
    })
  } catch (e) {
    console.error(e.body || e.statusCode || e)
  }
})
Reply
0 votes
peterb
peterb
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 29, 2015

No worries. :)

Reply
0 votes
Hai
Hai September 29, 2015

I am sorry for submitting the same question on multiple places. I was a bit nervous because we need to have the add on ready before the upcoming Atlassian Summit.

Reply
0 votes
peterb
peterb
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 29, 2015

A 401 response means that either your add-on is not installed at the time of the request, the JWT was improperly constructed or that the request user lacks permissions.

NB: permissions != scopes.

Please:

  • Ensure that your add-on is installed.
  • Validate your tokens using https://jwt-decoder.herokuapp.com/jwt/decode .
  • Verify that your add-on can successfully request a resource that requires no permissions (e.g. '/rest/atlassian-connect/1/addons/YOUR-ADD-ON-KEY/properties/PROPERTY-NAME').
  • When all those work then try your original request again. 
    • If you get a 403 response then apply Travis' answer.
    • Otherwise, look at the JIRA logs. If the cause is still unclear then reply here and we will debug further.
View More Comments
Hai Minh Nguyen
Hai Minh Nguyen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 29, 2015

Thanks. Before setting the avatar, my add on has to create a new issue type. That request is always processed successfully. Besides, the whole flow (including setting the avatar) is also processed successfully with local version of JIRA Cloud. The add on has all scopes.

Like
peterb
peterb
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 29, 2015

But permissions != scopes, and insufficient permissions on the request user can result in a 401 response. One possibility is that the request user has permissions to create a new issue type but not to set the avatar. If you are sending this request in the browser then the request user is the browser user. If you are sending this request server-to-server then the request user is the add-on user. What do the JIRA logs show?

Like
Hai Minh Nguyen5
Hai Minh Nguyen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 29, 2015

Thanks. I added full permissions for the add on user ("addon_qspec") and still got a 401 response. I also made sure that the permission sets in JIRA Cloud and the local version of JIRA Cloud are the same. The response body is still "You are not authenticated. Authentication required to perform this operation". If it were because of permissions, I guest it should be 403. I guess one possible reason might be that JIRA Cloud uses Crowd in production, and it somehow prevents avatar API to function properly with JWT. Avatar API also uses cookie, which is different from other JIRA REST API. How can I retrieve my JIRA Cloud logs?

Like
peterb
peterb
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 29, 2015

You will have to ask Cloud Support to help you get your JIRA Cloud logs.

Like
Hai
Hai September 30, 2015

165.254.226.194 125.212.208.58 - [30/Sep/2015:15:07:00 +0700] "POST /rest/api/2/issuetype/10830/avatar/temporary?filename=icon&size=1863 HTTP/1.0" 401 77 4936 "-" "Apache-HttpClient/4.3.6 (java 1.5)" 165.254.226.194 125.212.208.58 - [30/Sep/2015:15:13:52 +0700] "POST /rest/api/2/issuetype/10830/avatar/temporary?filename=icon&size=1863 HTTP/1.0" 401 77 7409 "-" "Apache-HttpClient/4.3.6 (java 1.5)" 165.254.226.194 125.212.208.58 - [30/Sep/2015:15:14:15 +0700] "POST /rest/api/2/issuetype/10830/avatar/temporary?filename=icon&size=1863 HTTP/1.0" 401 77 8623 "-" "Apache-HttpClient/4.3.6 (java 1.5)" 165.254.226.194 125.212.208.58 - [30/Sep/2015:15:14:49 +0700] "POST /rest/api/2/issuetype/10830/avatar/temporary?filename=icon&size=1863 HTTP/1.0" 401 77 4985 "-" "Apache-HttpClient/4.3.6 (java 1.5)" That's all they got. I had tried different REST API requests, only avatar requests failed.

Like
Reply
0 votes
peterb
peterb
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 29, 2015

I can see that you also posted this question on the google group. Please follow nice etiquette and post in only one location. :) Atlassian Answers is the best place for technical questions like this.

Reply
0 votes
Travis Smith
Travis Smith
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 29, 2015

You can see the REST API endpoints that work, with the related scopes, on the JIRA REST scopes page. Only whitelisted endpoints work via JWT authentication. Ensure you have the right scope for the HTTP action as well. 

There is no way to get around this for Connect add-ons. You can create an issue via https://developer.atlassian.com/help#requests for JIRA REST API if you want additional endpoints added to the whitelist.

View More Comments
Hai Minh Nguyen
Hai Minh Nguyen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 29, 2015

Thanks. The endpoint I used is "/rest/api/2/issuetype/{id}/avatar". I think it should be sub-resources of "/rest/api/{version}/issuetype". In the document they stated that "Sub-resources are also available. For example, because /rest/api/2/issue is available, /rest/api/2/issue/{key}/comment is also available."

Like
Travis Smith
Travis Smith
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 29, 2015

If the endpoint is on the whitelist, then make sure you have the right scope for the HTTP verb in question. This should require ADMIN scope.

Like
Hai Minh Nguyen2
Hai Minh Nguyen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 29, 2015

Thanks. The add on has all scopes. I included more info here https://answers.atlassian.com/questions/30943650/answers/30944509/comments/30944626.

Like
Reply

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

Atlassian logo
Answers Developer Questions
TAGS
AUG Leaders

Atlassian Community Events

    See all events