Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to fetch users present in Auth Policy?

Balachandra Bhat
Balachandra Bhat November 21, 2024

I was able to follow the below api to add users to SSO authentication policy from normal default local policy - Applies to All users. 

Cookbook for authentication policy

Is there any api url to get the list of users present in SSO authentication policy and normal default local policy - Applies to All users. ?

Answer
Watch
Like # people like this
208 views

1 answer

Suggest an answer

Log in or Sign up to answer
2 votes
Darryl Lee
Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 21, 2024

Oh hi @Balachandra Bhat !

So ... certain people might not like it but... there's an unofficial, undocumented API for this (meaning that YOU SHOULD NOT use this for any production automations, but for one-off admin type of tasks, it's probably fine).

https://admin.atlassian.com/gateway/api/admin/private/org/{ORGANIZATION_ID}/auth-policy/{AUTHENTICATION_POLICY_ID}/users?first=100&offset=0

So the default number displayed in the UI was 20 (the first parameter), and I wasn't able to bump that up higher than 100. Anywho, I was able to keep bumping the offset up by 100 to get the next page of results. This endpoint returns a handy "totalUsers" value as well as a "hasNextPage" so you know when to stop.

How can you find {ORGANIZATION_ID} and {AUTHENTICATION_POLICY_ID}?

Welp, if you click into one of your Policies, it should be right there in the URL:

https://admin.atlassian.com/o/{ORGANIZATION_ID}/authentication-policies/policy/{AUTHENTICATION_POLICY_ID}

Have fun!

View More Comments
Reply
Balachandra Bhat
Balachandra Bhat November 22, 2024

@Darryl Lee  Thanks for sharing the endpoint url.  Could you please provide the more information like operation type get or post or patch call. What should be the Auth type?

I did a get call and used the Bearer token which I was using for adding users to SSO auth policy and I got Unauthorized error with response code of 401.

Like
Darryl Lee
Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 22, 2024

Oh man, that is a great question @Balachandra Bhat and I was absolutely negligent in providing that info.

I was hitting that URL from my browser session.

So unfortunately like other unofficial (and "private") APIs, this one doesn't appear to have an external authentication method like Bearer or Basic (token). 

(I tried my personal token, for an account which has Org Admin rights, and it also failed with a 401.)

SO THEN, what does work?

One of the nastiest hackiest things you can do! Session Cookies.

I went through all the cookies my browser was sending, and isolated the one cookie that was actually required: feeding the cloud.session.token to curl worked, like so:

curl 'https://admin.atlassian.com/gateway/api/admin/private/org/{ORGANIZATION_ID}/auth-policy/{AUTHENTICATION_POLICY_ID}/users?first=100&offset=0' -H 'cookie: cloud.session.token=YOURCLOUDSESSIONTOKENFROMYOURBROWSER'

Like I should have said from the beginning. THIS IS A HACK. (And so am I.) :-}

Like # people like this
Darryl Lee
Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 22, 2024

You might be wondering how long that session token will last. According to the one I generated today, about one month:

admin.atlassian.com FALSE   /   TRUE    1734888282  cloud.session.token MYCLOUDSESSIONTOKEN

That's Sun Dec 22 09:24:42 PST 2024.

I have not tried to programmatically generate a cloud.session.token.

People have asked about this before, and well, I'm 100% with @federico on this:

The REST APIs are very incomplete for people using JIRA and BITBUCKET. All is supposedly connected together, yet those API do not provide any meaningful way to play with the fact that we use JIRA and BITBUCKET. 

There are countless thread about it but yet still gathering interest and beeing answered by please use internal API but we don't support it.

This is not a viable solution, but it is recommended so much that at some point I am wondering...

...

So yes, I should not do it, but there is no alternative and Atlassian team tell us to use it while not recommending it for so basic feature as "get jira issue from bitbucket PR" or "get PR from Jira Issue" 

So yes your answer is correct and simple. But then I am open to other suggestion than using this internal api 

Like # people like this
Harrison Ponce
Harrison Ponce
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 22, 2024

Like # people like this
Darryl Lee
Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 22, 2024

@Harrison Ponce I literally LOLed. YUP. It's AWFUL. 

If you have a script or something you ABSOLUTELY should only be storing and running it from YOUR LAPTOP.

 

Like # people like this
groups-icon
Atlassian Answerers
TAGS
AUG Leaders

Atlassian Community Events

    See all events