Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Authorization token error on git push

Deleted user January 27, 2014

I have a user reporting this error message when attempting to push to a repository hosted by stash:

remote: You do not have an authorized access token for the remote resource.
To ssh://git@stash.zzzzzzzzzzzzz.com/xxxx/xxxx.git
 ! [remote rejected] bugfix/DEV-0000-yyyyy-yyyyyyy-yyyyyyy-yyyyyyyy -> bugfix/DEV-0000-yyyyy-yyyyyyy-yyyyyyy-yyyyyyyy (pre-receive hook declined)
error: failed to push some refs to 'ssh://git@stash.zzzzzzzzzzzzzzzzz.com/xxxx/xxxx.git'

catalina.out lists this exception:

com.atlassian.applinks.api.CredentialsRequiredException: You do not have an authorized access token for the remote resource.
        at com.atlassian.applinks.core.auth.oauth.ThreeLeggedOAuthRequestFactoryImpl.retrieveConsumerToken(ThreeLeggedOAuthRequestFactoryImpl.java:93)
        at com.atlassian.applinks.core.auth.oauth.ThreeLeggedOAuthRequestFactoryImpl.createRequest(ThreeLeggedOAuthRequestFactoryImpl.java:84)
        at com.atlassian.applinks.core.auth.ApplicationLinkRequestFactoryFactoryImpl$AbsoluteURLRequestFactory.createRequest(ApplicationLinkRequestFactoryFactoryImpl.java:201)
        at com.teslamotors.stash.logchecker.JiraIssueUtils.getIssuesFromApplicationLink(JiraIssueUtils.java:59)
        at com.teslamotors.stash.logchecker.JiraIssueUtils.getJiraQueryJson(JiraIssueUtils.java:112)
        at com.teslamotors.stash.logchecker.IssueExistenceResult.populateIssueMovesAndNonexistence(IssueExistenceResult.java:35)
        at com.teslamotors.stash.logchecker.CommitLogMessagePreReceiveHook.enforceIssueReferencesOnAllRefs(CommitLogMessagePreReceiveHook.java:118)
        at com.teslamotors.stash.logchecker.CommitLogMessagePreReceiveHook.checkRefsForRejection(CommitLogMessagePreReceiveHook.java:164)
        at com.teslamotors.stash.logchecker.CommitLogMessagePreReceiveHook.onReceive(CommitLogMessagePreReceiveHook.java:208)
        at com.atlassian.stash.internal.hook.repository.PreReceiveRepositoryHookAdapter$1.visit(PreReceiveRepositoryHookAdapter.java:39)
        at com.atlassian.stash.internal.hook.repository.PreReceiveRepositoryHookAdapter$1.visit(PreReceiveRepositoryHookAdapter.java:33)
        at com.atlassian.stash.internal.hook.repository.DefaultRepositoryHookService$8.doInTransaction(DefaultRepositoryHookService.java:415)
        at com.atlassian.stash.internal.hook.repository.DefaultRepositoryHookService$8.doInTransaction(DefaultRepositoryHookService.java:409)
        at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:131)
        at com.atlassian.stash.internal.hook.repository.DefaultRepositoryHookService.visitEnabledHooks(DefaultRepositoryHookService.java:409)
        at sun.reflect.GeneratedMethodAccessor643.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:622)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
        at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
        at com.atlassian.stash.internal.aop.ProfilingAspect.profileMethod(ProfilingAspect.java:45)
        at sun.reflect.GeneratedMethodAccessor133.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:622)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
        at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
        at com.atlassian.stash.internal.aop.ProfilingAspect.profileMethod(ProfilingAspect.java:45)
        at sun.reflect.GeneratedMethodAccessor133.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:622)
        at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
        at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)
        at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
        at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
        at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
        at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.adapter.ThrowsAdviceInterceptor.invoke(ThrowsAdviceInterceptor.java:124)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
        at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at com.sun.proxy.$Proxy210.visitEnabledHooks(Unknown Source)
        at com.atlassian.stash.internal.hook.repository.PreReceiveRepositoryHookAdapter.onReceive(PreReceiveRepositoryHookAdapter.java:33)
        at com.atlassian.stash.internal.hook.DefaultBuiltInHookHandlerFactory$1.handle(DefaultBuiltInHookHandlerFactory.java:57)
        at com.atlassian.stash.internal.hook.DefaultHookService.doHandleRequest(DefaultHookService.java:356)
        at com.atlassian.stash.internal.hook.DefaultHookService.handleRequest(DefaultHookService.java:342)
        at com.atlassian.stash.internal.hook.DefaultHookService.handleRawRequest(DefaultHookService.java:253)
        at com.atlassian.stash.internal.hook.DefaultHookService$2$1.run(DefaultHookService.java:213)
        at com.atlassian.stash.internal.concurrent.StateTransferringExecutor$StateTransferringRunnable.run(StateTransferringExecutor.java:69)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
        at java.util.concurrent.FutureTask.run(FutureTask.java:166)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(ScheduledThreadPoolExecutor.java:165)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:701)

Since this appears to be related to Jira integration, I had the user remove Jira from authorized applications on his account and re-add it by clicking an issue tag in an older commit. After that, he was able to push fine.

Nothing had changed before this problem started occuring, and the user was able to push successfully before.

Is this a known issue? Is there a way to solve this problem without removing/adding the authorization?

Answer
Watch
Like Be the first to like this
1850 views

2 answers

0 votes
Terry Leung
Terry Leung July 31, 2014

Ok, so this does fix the problem, by going into JIRA's user profile to "clear all token", and the re-establishing the token again. But any idea what is causing this in the first place? Is the a need of the plug-in to synchronize its token with Stash?

Reply
0 votes
cofarrell
cofarrell
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 28, 2014

Hi Dustin,

You have an unsupported, third-party plugin installed, which is where that error is coming from.

https://marketplace.atlassian.com/plugins/com.teslamotors.stash.hook.jira-issue-enforcer

From the error it looks like the application link between Stash and JIRA is using 3-legged oauth (3LO), which means that both systems are configured with different users, or at least they think they are. At that point you need to do what is called the "OAuth Dance" to form a trust between one user in Stash and the other in JIRA. This is unavoidable with 3LO, you obviously can't do that from Git and the command line.

You would have to re-configure the application links so that both systems know that they share the same set of users (and if they don't you have no choice but to stick with 3LO). This used to be called "trusted apps", which was specific to Atlassian, but in newer versions of the products we have switched to 2-legged OAuth.

https://confluence.atlassian.com/display/APPLINKS/Configuring+Authentication+for+an+Application+Link

Does that make any sense (I know it can be confusing)?

Charles

View More Comments
Deleted user January 28, 2014

Interesting. So does this mean if I enable "Allow user impersonation through 2-Legged OAuth" then users won't have to manually set up their Stash/Jira connection, and thus this issue should go away?

Like
cofarrell
cofarrell
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 28, 2014

If both instances share the exact same set of users, then yes.

The only reason you need 3LO is they don't and then the user needs to make the mapping themselves (via the dance).

Like
Deleted user January 29, 2014

Okay, I turned that setting on for both Jira and Stash. It made everyone authenticate in both apps again, so we'll see if it gets messed up with regard to git again. Thanks for the information!

Like
Deleted user February 6, 2014

This issue just came back with a different user. The exception is still the same, and the ThreeLeggedOAuthRequestFactoryImpl class seems to indicate that it is not using 2LO. I suppose the logchecker plugin may not support it. I still don't understand why the exception is being raised, when the user definitely does have an authorized access token, as he can view Jira tickets from within Stash, and Stash commits within Jira without issue.

Like
cofarrell
cofarrell
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 7, 2014

Hi Dustin,

I've just tested this locally and createAuthenticatedRequestFactory() is returning TwoLeggedOAuthWithImpersonationRequestFactory, which is what I would expect. You might want to just double check your applinks configuration, and make sure "Enable outgoing 2-Legged OAuth requests" is really ticked.

What happens when you run the following (or inspect the REST requests in Chrome/Firefox when you're on the Application Links page):

> curl -u user:password -H "Accept: application/json" http://host:port/rest/applinks/2.0/listApplicationlinks

Mine has the following, which tells you exactly what the authenticators are (actually I never knew this endpoint listed this data until just now):

{
    "list": [
        {
            "appLinkState": "OK", 
            "application": {...},
            "configuredInboundAuthenticators": [
                "com.atlassian.applinks.api.auth.types.TwoLeggedOAuthWithImpersonationAuthenticationProvider", 
                "com.atlassian.applinks.api.auth.types.OAuthAuthenticationProvider", 
                "com.atlassian.applinks.api.auth.types.TwoLeggedOAuthAuthenticationProvider"
            ], 
            "configuredOutboundAuthenticators": [
                "com.atlassian.applinks.api.auth.types.TwoLeggedOAuthWithImpersonationAuthenticationProvider", 
                "com.atlassian.applinks.api.auth.types.OAuthAuthenticationProvider", 
                "com.atlassian.applinks.api.auth.types.TwoLeggedOAuthAuthenticationProvider"
            ], 
            ...
            "hasIncomingAuthenticationProviders": true, 
            "hasOutgoingAuthenticationProviders": true, 
            ....
        }
    ]
}

Sorry I can't be more help.

Charles

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events