Authorization token error on git push

I have a user reporting this error message when attempting to push to a repository hosted by stash:

remote: You do not have an authorized access token for the remote resource.
To ssh://git@stash.zzzzzzzzzzzzz.com/xxxx/xxxx.git
 ! [remote rejected] bugfix/DEV-0000-yyyyy-yyyyyyy-yyyyyyy-yyyyyyyy -> bugfix/DEV-0000-yyyyy-yyyyyyy-yyyyyyy-yyyyyyyy (pre-receive hook declined)
error: failed to push some refs to 'ssh://git@stash.zzzzzzzzzzzzzzzzz.com/xxxx/xxxx.git'

catalina.out lists this exception:

com.atlassian.applinks.api.CredentialsRequiredException: You do not have an authorized access token for the remote resource.
        at com.atlassian.applinks.core.auth.oauth.ThreeLeggedOAuthRequestFactoryImpl.retrieveConsumerToken(ThreeLeggedOAuthRequestFactoryImpl.java:93)
        at com.atlassian.applinks.core.auth.oauth.ThreeLeggedOAuthRequestFactoryImpl.createRequest(ThreeLeggedOAuthRequestFactoryImpl.java:84)
        at com.atlassian.applinks.core.auth.ApplicationLinkRequestFactoryFactoryImpl$AbsoluteURLRequestFactory.createRequest(ApplicationLinkRequestFactoryFactoryImpl.java:201)
        at com.teslamotors.stash.logchecker.JiraIssueUtils.getIssuesFromApplicationLink(JiraIssueUtils.java:59)
        at com.teslamotors.stash.logchecker.JiraIssueUtils.getJiraQueryJson(JiraIssueUtils.java:112)
        at com.teslamotors.stash.logchecker.IssueExistenceResult.populateIssueMovesAndNonexistence(IssueExistenceResult.java:35)
        at com.teslamotors.stash.logchecker.CommitLogMessagePreReceiveHook.enforceIssueReferencesOnAllRefs(CommitLogMessagePreReceiveHook.java:118)
        at com.teslamotors.stash.logchecker.CommitLogMessagePreReceiveHook.checkRefsForRejection(CommitLogMessagePreReceiveHook.java:164)
        at com.teslamotors.stash.logchecker.CommitLogMessagePreReceiveHook.onReceive(CommitLogMessagePreReceiveHook.java:208)
        at com.atlassian.stash.internal.hook.repository.PreReceiveRepositoryHookAdapter$1.visit(PreReceiveRepositoryHookAdapter.java:39)
        at com.atlassian.stash.internal.hook.repository.PreReceiveRepositoryHookAdapter$1.visit(PreReceiveRepositoryHookAdapter.java:33)
        at com.atlassian.stash.internal.hook.repository.DefaultRepositoryHookService$8.doInTransaction(DefaultRepositoryHookService.java:415)
        at com.atlassian.stash.internal.hook.repository.DefaultRepositoryHookService$8.doInTransaction(DefaultRepositoryHookService.java:409)
        at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:131)
        at com.atlassian.stash.internal.hook.repository.DefaultRepositoryHookService.visitEnabledHooks(DefaultRepositoryHookService.java:409)
        at sun.reflect.GeneratedMethodAccessor643.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:622)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
        at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
        at com.atlassian.stash.internal.aop.ProfilingAspect.profileMethod(ProfilingAspect.java:45)
        at sun.reflect.GeneratedMethodAccessor133.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:622)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
        at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
        at com.atlassian.stash.internal.aop.ProfilingAspect.profileMethod(ProfilingAspect.java:45)
        at sun.reflect.GeneratedMethodAccessor133.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:622)
        at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
        at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)
        at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
        at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
        at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
        at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.adapter.ThrowsAdviceInterceptor.invoke(ThrowsAdviceInterceptor.java:124)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
        at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at com.sun.proxy.$Proxy210.visitEnabledHooks(Unknown Source)
        at com.atlassian.stash.internal.hook.repository.PreReceiveRepositoryHookAdapter.onReceive(PreReceiveRepositoryHookAdapter.java:33)
        at com.atlassian.stash.internal.hook.DefaultBuiltInHookHandlerFactory$1.handle(DefaultBuiltInHookHandlerFactory.java:57)
        at com.atlassian.stash.internal.hook.DefaultHookService.doHandleRequest(DefaultHookService.java:356)
        at com.atlassian.stash.internal.hook.DefaultHookService.handleRequest(DefaultHookService.java:342)
        at com.atlassian.stash.internal.hook.DefaultHookService.handleRawRequest(DefaultHookService.java:253)
        at com.atlassian.stash.internal.hook.DefaultHookService$2$1.run(DefaultHookService.java:213)
        at com.atlassian.stash.internal.concurrent.StateTransferringExecutor$StateTransferringRunnable.run(StateTransferringExecutor.java:69)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
        at java.util.concurrent.FutureTask.run(FutureTask.java:166)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(ScheduledThreadPoolExecutor.java:165)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:701)

Since this appears to be related to Jira integration, I had the user remove Jira from authorized applications on his account and re-add it by clicking an issue tag in an older commit. After that, he was able to push fine.

Nothing had changed before this problem started occuring, and the user was able to push successfully before.

Is this a known issue? Is there a way to solve this problem without removing/adding the authorization?

2 answers

Hi Dustin,

You have an unsupported, third-party plugin installed, which is where that error is coming from.

https://marketplace.atlassian.com/plugins/com.teslamotors.stash.hook.jira-issue-enforcer

From the error it looks like the application link between Stash and JIRA is using 3-legged oauth (3LO), which means that both systems are configured with different users, or at least they think they are. At that point you need to do what is called the "OAuth Dance" to form a trust between one user in Stash and the other in JIRA. This is unavoidable with 3LO, you obviously can't do that from Git and the command line.

You would have to re-configure the application links so that both systems know that they share the same set of users (and if they don't you have no choice but to stick with 3LO). This used to be called "trusted apps", which was specific to Atlassian, but in newer versions of the products we have switched to 2-legged OAuth.

https://confluence.atlassian.com/display/APPLINKS/Configuring+Authentication+for+an+Application+Link

Does that make any sense (I know it can be confusing)?

Charles

Interesting. So does this mean if I enable "Allow user impersonation through 2-Legged OAuth" then users won't have to manually set up their Stash/Jira connection, and thus this issue should go away?

If both instances share the exact same set of users, then yes.

The only reason you need 3LO is they don't and then the user needs to make the mapping themselves (via the dance).

Okay, I turned that setting on for both Jira and Stash. It made everyone authenticate in both apps again, so we'll see if it gets messed up with regard to git again. Thanks for the information!

This issue just came back with a different user. The exception is still the same, and the ThreeLeggedOAuthRequestFactoryImpl class seems to indicate that it is not using 2LO. I suppose the logchecker plugin may not support it. I still don't understand why the exception is being raised, when the user definitely does have an authorized access token, as he can view Jira tickets from within Stash, and Stash commits within Jira without issue.

Hi Dustin,

I've just tested this locally and createAuthenticatedRequestFactory() is returning TwoLeggedOAuthWithImpersonationRequestFactory, which is what I would expect. You might want to just double check your applinks configuration, and make sure "Enable outgoing 2-Legged OAuth requests" is really ticked.

What happens when you run the following (or inspect the REST requests in Chrome/Firefox when you're on the Application Links page):

> curl -u user:password -H "Accept: application/json" http://host:port/rest/applinks/2.0/listApplicationlinks

Mine has the following, which tells you exactly what the authenticators are (actually I never knew this endpoint listed this data until just now):

{
    "list": [
        {
            "appLinkState": "OK", 
            "application": {...},
            "configuredInboundAuthenticators": [
                "com.atlassian.applinks.api.auth.types.TwoLeggedOAuthWithImpersonationAuthenticationProvider", 
                "com.atlassian.applinks.api.auth.types.OAuthAuthenticationProvider", 
                "com.atlassian.applinks.api.auth.types.TwoLeggedOAuthAuthenticationProvider"
            ], 
            "configuredOutboundAuthenticators": [
                "com.atlassian.applinks.api.auth.types.TwoLeggedOAuthWithImpersonationAuthenticationProvider", 
                "com.atlassian.applinks.api.auth.types.OAuthAuthenticationProvider", 
                "com.atlassian.applinks.api.auth.types.TwoLeggedOAuthAuthenticationProvider"
            ], 
            ...
            "hasIncomingAuthenticationProviders": true, 
            "hasOutgoingAuthenticationProviders": true, 
            ....
        }
    ]
}

Sorry I can't be more help.

Charles

Ok, so this does fix the problem, by going into JIRA's user profile to "clear all token", and the re-establishing the token again. But any idea what is causing this in the first place? Is the a need of the plug-in to synchronize its token with Stash?

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Jun 12, 2018 in Bitbucket

Do you use any Atlassian products for your personal projects?

After spinning my wheels trying to get organized enough to write a book for National Novel Writing Month (NaNoWriMo) I took my affinity for Atlassian products from my work life and decided to tr...

22,068 views 26 11
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you