Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Basic Auth for Confluence REST API doesn't work

Gunta S
Gunta S March 4, 2021

Using cURL this is the response that I get:

$ curl -H "Accept: application/json" -H "Content-Type: application/json" -u 'username:password' -I 'https://mysite.com/confluence/rest/api/content/111111' -v* Trying <ip>:443...
* Connected to <mysite> (<ip>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: C:/##################
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
<>
* SSL certificate verify ok.
* Server auth using Basic with user 'username'
> HEAD /confluence/rest/api/content/11111? HTTP/1.1> Host: mysite.com
> Authorization: Basic ################
> User-Agent: curl/7.74.0
> Accept: application/json
> Content-Type: application/json
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401
HTTP/1.1 401
< Server: openresty
Server: openresty
< Date: Thu, 04 Mar 2021 12:29:25 GMT
Date: Thu, 04 Mar 2021 12:29:25 GMT
< Content-Type: text/html;charset=utf-8
Content-Type: text/html;charset=utf-8
< Connection: keep-alive
Connection: keep-alive
< X-ASEN: SEN-####
X-ASEN: SEN-####
< Set-Cookie: JSESSIONID=#######################; Path=/confluence; HttpOnly
Set-Cookie: JSESSIONID=#######################; Path=/confluence; HttpOnly
< X-Seraph-LoginReason: AUTHENTICATED_FAILED
X-Seraph-LoginReason: AUTHENTICATED_FAILED
< WWW-Authenticate: OAuth realm="https%3A%2F%2Fmysite.com%2Fconfluence"
WWW-Authenticate: OAuth realm="https%3A%2F%2Fmysite.com%2Fconfluence"
< Content-Language: en
Content-Language: en
< Strict-Transport-Security: max-age=31536000; includeSubdomains
Strict-Transport-Security: max-age=31536000; includeSubdomains

<
* Connection #0 to host mysite.com left intact

 

If I go directly to my site and force using basic auth (https://mysite.com/confluence/rest/api/content/111111?os_authType=basic), after entering credentials it gives me a very weird looking 401 error (not the same as when using wrong credentials, but

This page isn’t working

If the problem continues, contact the site owner.

HTTP ERROR 401

with a reload button, and after I click on it or refresh the page it gives me exactly what I wanted to get with curl, looks like it's starting a session and passing JSESSIONID as in cookie based auth not basic auth)

As I understand, the problem is somewhere in the server setup, but I have no clue where to even begin to look. Any suggestions?

 

Answer
Watch
Like Finn Ellis likes this
4402 views

2 answers

0 votes
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 5, 2021

Hi Gunta,

I see that you are using curl to try to query some data from a Confluence server instance.  However the error you are getting is a pretty clear indication that your request is not authenticating in the way expected.

Try checking out Confluence REST API examples.  It has a few syntax examples that might help here.  First I'd start by trying to remove the quotes around the username:password if you want to use that method to authenticate here.  Additionally, you will also need to specify which HTTP verb you are using here (GET, PUT, POST, etc).

As a side note, if your Confluence Server is 7.9 or higher, you might want to check out Using Personal Access Tokens.  This is an alternative means for Server users to be able to authenticate for REST API calls without having to use their username/password to authenticate here.

I hope this helps.

Andy

View More Comments
Gunta S
Gunta S March 7, 2021

Hi @Andy Heinzer

I don't believe it's the syntax here, I've tried it without quotes, with just username where I enter password after the prompt, I've tried Authorization header with base64 encoded username and password, the result is always the same. Specifying the verb gets the same result

$ curl -v -u username -X GET "https://mysite.com/confluence/rest/api/content/111111"
Enter host password for user 'username':
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying <ip>:443...
* Connected to mysite.com (<ip>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: C:/#####
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* <>
* SSL certificate verify ok.
* Server auth using Basic with user 'username'
> GET /confluence/rest/api/content/1111111 HTTP/1.1
> Host: mysite.com
> Authorization: Basic ###############
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401
< Server: openresty
< Date: Mon, 08 Mar 2021 07:47:18 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 1116
< Connection: keep-alive
< X-ASEN: SEN-######
< Set-Cookie: JSESSIONID=#################; Path=/confluence; HttpOnly
< X-Seraph-LoginReason: AUTHENTICATED_FAILED
< WWW-Authenticate: OAuth realm="https%3A%2F%2Fmysite.com%2Fconfluence"
< Content-Language: en
< Strict-Transport-Security: max-age=31536000; includeSubdomains
<
<!doctype html><html lang="en"><head><title>HTTP Status 401 – Unauthorized</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 401 – Unauthorized</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Basic Authentication Failure - Reason : AUTHENTICATED_FAILED</p><p><b>Description</b> The request has not been applied because it lacks valid authentication credentials for the target resource.</p><hr class="line" /><h3>Apache Tomcat/9.0.22</h3></body></html>* Connection #0 to host mysite.com left intact

I'm using version 6.15.10

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 12, 2021

The response you get back from curl would indicate that the authentication failed.  Which in turn would leave your request as if it was made anonymously.  If the resource you are trying to access here is protected from anonymous access, that explains the behavior we see here.

I would want to first confirm that your account in use here can access that resource on your Confluence server (outside of REST API), say by visiting the corresponding content in Confluence by logging into Confluence with the same credentials.  If those credentials work, then there is clearly something else to blame here.

The verbose response also seems to have some additional clues about your environment.  The server response appears to be from a proxy called openresty.  And given the 401 error there, it would seem that either the proxy is unable to see credentials for Confluence, or perhaps the proxy is misconfigured in some manner.  We have ways you could test against this such as explained in How to bypass a reverse proxy or SSL this is at least one way to test if the proxy could be the source of the problem here. 

If this is the problem, then you can explore further into other guides such as Running Confluence behind NGINX with SSL.

Andy

Like
Gunta S
Gunta S March 15, 2021

Thanks @Andy Heinzer 

I found the fix to my issue here: Shibboleth HTTP authenticator and REST API · Issue #32 · chauth/confluence_http_authenticator · GitHub

I just added com.atlassian.seraph logging with DEBUG level and it works, now I'm trying to understand why it works

Gunta

Like Andy Heinzer likes this
Reply
0 votes
Prince Nyeche
Prince Nyeche
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 4, 2021

Hi @Gunta S 

Welcome to community! Do you use any form of 2FA to authenticate users on your Confluence server?

View More Comments
Gunta S
Gunta S March 4, 2021

Hi @Prince Nyeche 

Thanks for the welcome! No 2FA

Like
Prince Nyeche
Prince Nyeche
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 5, 2021

Hi @Gunta S 

Thanks for confirming that. From the trace above, it seems as though you've entered the wrong password or username a couple of times and Confluence has returned a captcha screen which is not visible on terminal. 

X-Seraph-LoginReason: AUTHENTICATED_FAILED

 Try the below curl example

curl -v \
  --url "https://mysite.com/confluence/rest/api/content/111111" \
  --header "Content-type: application/json" \
  --user "username:password"

Ensure that the username and password are correct before proceeding. The 401 error when trying on your browser could be a different thing all together, try logging out and in and see if the behaviour changes.

Like
Gunta S
Gunta S March 7, 2021

Hi @Prince Nyeche 

I believe that if it was captcha screen it would be giving AUTHENTICATED_DENIED. Credentials are correct, I even tried changing the password and creating a new user, still returning the same

* Trying <ip>:443...
* Connected to mysite.com (<ip>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: C:/####
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*<>
* SSL certificate verify ok.
* Server auth using Basic with user 'username'
> GET /confluence/rest/api/content/111111 HTTP/1.1
> Host: mysite.com
> Authorization: Basic ################
> User-Agent: curl/7.74.0
> Accept: */*
> Content-type: application/json
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401
< Server: openresty
< Date: Mon, 08 Mar 2021 07:19:36 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 1116
< Connection: keep-alive
< X-ASEN: SEN-#######
< Set-Cookie: JSESSIONID=###########; Path=/confluence; HttpOnly
< X-Seraph-LoginReason: AUTHENTICATED_FAILED
< WWW-Authenticate: OAuth realm="https%3A%2F%2Fmysite%2Fconfluence"
< Content-Language: en
< Strict-Transport-Security: max-age=31536000; includeSubdomains
<
<!doctype html><html lang="en"><head><title>HTTP Status 401 – Unauthorized</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 401 – Unauthorized</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Basic Authentication Failure - Reason : AUTHENTICATED_FAILED</p><p><b>Description</b> The request has not been applied
because it lacks valid authentication credentials for the target resource.</p><hr class="line" /><h3>Apache Tomcat/9.0.22</h3></body></html>* Connection #0 to host mysite.com left intact

As for the browser behavior, it's always the same no matter how many times I try to log in and out.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events