Confluence REST API: Is there anyway to authenticate by JSESSIONID or crowd.token_key?

Hi guys,
I am using SSO with Crowd and Confluence.
Now I need get Confluence's data from 3rd custom application. Is there any way to authenticate by JSESSIONID or crowd.token_key?
Thanks in advance.

2 answers

2 accepted

2 votes
Bruno Vincent Community Champion Dec 13, 2017

Hi @tai nguyen,

In short, yes you can authenticate with session cookies when requesting Confluence REST API. You might want to take a look at this link which provides very good examples.

In your use case, the workflow will be (a little bit) more complex. My understanding is actually that you have a user accessing to a third party web app with a browser and that you want to send HTTP requests from that web app to Confluence's REST API on behalf of the end-user. In such a case:

1. The user's browser sends the crowd.token_key cookie (I actually assume that your third party web app, Confluence and Crowd are on the same domain)

2. Your third party web app requests any URL of the Confluence server along with the crowd.token_key cookie that was provided by the end-user's browser.

Confluence will send the SSO token to Crowd so as to verify if it is a valid one. The problem here is that your third party web app's IP address is different from the end-user's IP address so Crowd won't validate the token (you will see warnings in Crowd's logs saying that the validation factors differ).

You have two workarounds for this:

  • Either your uncheck 'Session configuration > Require consistent client IP address' in Crowd's administration console
  • Or you add a X-Forwarded-For header (containing the end-user's IP address) into the HTTP request to your Confluence server. You will also need to add your third-party web app's IP address to the trusted proxy servers list in Crowd's administration console.

3. Confluence will return a JSESSIONID cookie and an atlassian.xsrf.token cookie. You can now send your HTTP request along with the three cookies (JSESSIONID, crowd.token_key and atlassian.xsrf.token), plus the X-Forwarded-For header, to the Confluence REST API URLs

Hi @Bruno Vincent,

Thank you so much for your solution, I have tried and it worked.

Can I ask you one more question? That is have any risk when uncheck [Require consistent client IP address]?

Hi @Bruno Vincent

Because the Uncheck Require consistent client IP address solution is unsafe, I went to try the add a X-Forwarded-For header above.

But when I sent request with add X-Forwarded-For and SSO token, It returned 403 error code. So how to get the JSESSIONID which return from Confluence?

JSESSIONID is easy to get in JIRA, but seem like Confluence still not supported.

Thank you

Bruno Vincent Community Champion Dec 15, 2017

Hi @tai nguyen,

I would not say that unchecking the 'Require consistent client IP address' is unsafe, but it's obviously less safe than leaving it checked.

If it works with the option unchecked and does not work anymore when the option is checked though you added the X-Forwarded-For header, then it's all about validation factors. So you have to verify which IP address was used in the validation factors when the Crowd SSO token was initially created and which one you set in the X-Forwarded-For header. Please follow the instructions detailed in the 'Diagnostic steps' paragraph on this page: https://confluence.atlassian.com/crowdkb/crowd-sso-not-working-when-using-more-than-one-proxy-826868834.html

Hi Bruno,

Thank you so much for the reply.

I will try to check it.

1 vote
Bruno Vincent Community Champion Dec 14, 2017

Hi @tai nguyen,

That is good news, I'm glad that helped!

Well, unchecking the 'Require consistent client IP address' option is obviously less secure as anyone having your Crowd SSO cookie could impersonate you. That being said, it should not be trivial to steal your Crowd SSO cookie. Make sure to always use HTTPS and tick the 'Secure SSO cookie' checkbox in Crowd's administration console as detailed here. Apart from non secure connections, XSS is usually the main type of attacks to steal cookies. So, you should also make sure that your third-party web app code sets the httpOnly flag to 'true' on the Crowd SSO cookie.

Yes, I got it.

Thank you so much for the greate advice.

Suggest an answer

Log in or Join to answer
Community showcase
Emilee Spencer
Published Friday in Marketplace Apps

Marketplace Spotlight: DeepAffects

Hello Atlassian Community! My name is Emilee, and I’m a Product Marketing Manager for the Marketplace team. Starting with this post, I'm kicking off a monthly series of Spotlights to highlight Ma...

64 views 0 3
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot