Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira REST cookie authentication no data returned

Nick
Nick August 21, 2016

Hi,

Hoping someone can help with issues I'm having with implementing cookie based authentication for an Outlook based JIRA plugin.

I have followed the API documentation for requesting a session on rest/auth/1/session and adding the JSESSIONID to the headers on future requests.

Here is an example of the session response headers:

Date: Mon, 22 Aug 2016 08:32:01 GMT
Server: Apache-Coyote/1.1
X-Arequestid: 572x13161x1
X-Asen: SEN-2027541
X-Seraph-Loginreason: OUT; OK; OK
X-Asessionid: tf83eh
X-Ausername: myuser
Cache-Control: no-cache, no-store, no-transform
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Set-Cookie: JSESSIONID=854B63DCr3212A5redFC0fgj6CA419E23454552; Path=/; Secure; HttpOnly; 
crowd.token_key=""; Domain=mydomain.local; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly; 
crowd.token_key=PTNwsdsfKgwspbmeufUOjbgK4Qwsh9v0; Domain=mydomain.local; Path=/; HttpOnly; 
atlassian.xsrf.token=GUID-OFSO-MESO-RT00|233476b9543e6456exzv554074663077326d4b6415cdf880b|lin; Path=/; Secure; 
crowd.token_key=""; Domain=mydomain.local; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Transfer-Encoding: chunked

 

When I add just JSESSIONID, I get authenticated (200: OK) responses but no JIRA data, for example from rest/api/2/issue/createmeta I get the below empty response:

{
"expand": "projects"
"projects": 
[0]
}

I can see in the response headers, the session has flipped to the anonymous user: X-Ausername: anonymous .

 

In our shop we have JIRA integrated with crowd for SSO, which I believe is coming into play here, and from reading around the internet there is mention of setting the other cookies.

So from the initial session response, the Set-Cookie header has the below cookies:

  • JSESSIONID
  • atlassian.xsrf.token
  • crowd.token_key

with which I have tried (unsucessfully)

  • adding the entire Set-Cookie string in my requests
  • trial and erroring with different combinations of the cookies returned in Set-Cookie
  • tried setting the X-Froms

 

If it's any help, these are the headers I get when explictly setting the Cookie exactly as per Set-Cookie:

 
Date: Mon, 22 Aug 2016 08:54:42 GMT
Server: Apache-Coyote/1.1
X-Arequestid: 594x14083x1
X-Asessionid: 1elomil
X-Asen: SEN-2027541
X-Ausername: anonymous
Cache-Control: no-cache, no-store, no-transform
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Set-Cookie: atlassian.xsrf.token=fhjf-9328-gjhs-jhsf|2341212b5sdgv5c6dgsds06468094c|lout; Path=/; Secure
Transfer-Encoding: chunked

 

The only thing that I have been able to do to get this working, is to copy the three cookies directly out of my chrome debug window into a format thus: "JESSSIONID=<guid>; atlassian.xsrf.token=<guid>; crowd.token_key= <guid>". This doesn't work when I do the same thing with the returned cookies from the session request though.

 

I have been testing this both with the application itself which is C# using the base .Net httpClient class, but I am also using the chrome plugin ARC, which allows me to carve the REST requests out by hand and see all headers and responses.

 

So I guess my questions are:

  • how do I authenticate with Cookies if JIRA is hooked up to Crowd? (or rather, is that what's going wrong here?)
  • Can I just leverage Crowd SSO from my application? if so, how do I get the user's token?
  • If I have an app and a web browser looking for JIRA sessions, how do I stop them de-authing each other?

 

Many thanks in advance

Watch
Like # people like this
1903 views

10 answers

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

0 votes
Rui Rodrigues
Rui Rodrigues
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 24, 2017

Hi guys,

I've the same problem. Is there a solution for this?

Cheers,

Rui Rodrigues

Reply
0 votes
Sebastian Luca
Sebastian Luca January 17, 2017

I believe not. Try loging into JIRA from your browser and then from a private session (or different browser). You will see that both logins have the same JSESSIONID

Reply
0 votes
Nick
Nick January 17, 2017

This is part of my question, if you have an app using the post /login on behalf of the user, then the user wants to browse JIRA in their browser simultaneously, I think constant re-auth/cookie kung fu is going to come into play.

Reply
0 votes
Sebastian Luca
Sebastian Luca January 17, 2017

That actually works, but I don't think it is the best approach.

Still it isn't a good solution for me. I have a JIRA installation with 2-factor authentication, so if I cannot use the Cookie-Based Auth, I cannot do anything.

Reply
0 votes
Kaloyan Tsvetkov
Kaloyan Tsvetkov January 17, 2017

As a hack I am considering just doing a request to the real web login URL (e.g. "POST /login") since it does set the same set of cookies.

 

Reply
0 votes
Sebastian Luca
Sebastian Luca January 17, 2017

I am experiencing the same issue. Even thought I pass the correct Cookie, it sees me as anonymous and doesn't allow me to retrieve any data.

Reply
0 votes
Nick
Nick January 17, 2017

No, nothing yet unfortunately, have sidelined for the moment. Also tried scraping the cookies from Chrome, but the crowd.token_key is in memory so couldn't get to it.

Reply
0 votes
Kaloyan Tsvetkov
Kaloyan Tsvetkov January 17, 2017

I am having the same issue, any progress made on this ?

Reply
0 votes
Nick
Nick August 22, 2016

Hi Peter,

I'm only sending the cookie and content-type headers:

 
content-type: application/json
cookie: JSESSIONID=CD3BAB878B06bc7Ey63687683sdD7; Path=/; Secure; HttpOnly; 
crowd.token_key=""; Domain=mydomain.local; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly; 
crowd.token_key=9nve09bY7696xt8hf90; Domain=mydomain.local; Path=/; HttpOnly; 
atlassian.xsrf.token=ghjk-qwer-8976-vzzc|4dc06523275d1375b07232125f93c2478n26c|lin; Path=/; Secure; 
crowd.token_key=""; Domain=mydomain.local; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly

 

I've also tried sending with X-Atlassian-Token: no-check but haven't noticed any difference on the responses

Reply
0 votes
Petar Petrov _Appfire_
Petar Petrov (Appfire)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 21, 2016

Can you also post the headers which are sent with the request where you pass the cookies?

Reply

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

Atlassian logo
Answers Developer Questions
TAGS
AUG Leaders

Atlassian Community Events

    See all events