Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

Recognition

  • Give kudos
  • My kudos

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How to perform cookie based authentication in crowd + Jira + SSO using Rest API's Edited

Hello Team,

I had done some research and found the below details,

To authenticate the Crowd + Jira environment using cookie based authentication i need to have cookie.token_key & JSEESIONID token.

 My main goal is use the cookies to access Jira which is integrated with crowd using REST calls.

* crowd.token_key  - I could not find any source how to retrieve it using REST api 

* In POSTMAN (Rest client) to login to the crowd server as ex: 

http://serverip:8095/crowd/rest/usermanagement/latest/session?validate-password=true

with POST body username.... pwd ... in JSON format.. 

Jira app name & pwd using basic authentication if we provide then it works.

If I do as above it returns the JSESSIONID token but I could not retrieve the crowd token.

I am not sure the above way is proper or not.

I have few questions.

* How to retrieve crowd.token_key and its value using REST APi's

* How to get the JSESSIONID token 

* How to pass these session tokens to retrieve any datas from jira server. Ex: issues , users ... 

 NOTE: Please do not post the way using crowd libraries. like CrowdClient API's

Thanks in advance.

 

3 answers

1 vote
Bruno Vincent Community Leader Jan 25, 2019

Hi @Shan

You don't need to request Crowd to get a crowd.token_key cookie. A simple request to Jira is enough. This is a better approach as you won't need to expose jira's application name and password.

Here is the workflow:

1. Request the login URL of Jira (with username and password in basic authentication).

You will get a crowd.token_key cookie, a JSESSIONID cookie and an atlassian.xsrf.token cookie.

For instance:

curl -X GET -u "username:password" --silent --output /dev/null -c - 'http://jira.company.com:8080/login.jsp'

Will return:

# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_jira.company.com    FALSE    /    FALSE    0    JSESSIONID    ABC*****************************
#HttpOnly_jira.company.com    FALSE    /    FALSE    0    crowd.token_key"123*****************************"
jira.company.com    FALSE    /    FALSE    0    atlassian.xsrf.token    XYZ*****************************

2. Now, send whatever request you want to Jira by adding all 3 cookies.

For instance:

curl -X GET -H "Accept: application/json" -b "JSESSIONID=ABC*****************************;crowd.token_key=123*****************************;atlassian.xsrf.token=XYZ*****************************" 'http://jira.cleito.com:8080/rest/api/2/myself'

Will return your user profile in JSON format.

Hello Bruno,

Thanks a lot for your reply.

Using curl I did not get any response in the command prompt. It was just blank.

I had tried as you mentioned in the first step using POSTMAN Rest client, 

as "http://Serverip:9090/login" with my user name & pwd using basic authentication. 

It did not work, and return 404, i feel the url is wrong.

Normally we will use the url as 

"http://serverip:9090/jira/rest/auth/1/session" along with body of credentials with POST.

Correct me if I am wrong.

One more point to note that I did not configure a domain for Jira as i am using as localhost/server ip directly.

Bruno Vincent Community Leader Jan 25, 2019

Hi @Shan

The URI should be /login.jsp not /login 😉

But it does not really matter, you can use any valid Jira URL. Since the first time you send your username and password in basic authentication, you will always get a response embedding the 3 cookies that you need to use afterwards.

Hello Bruno,

Sorry, there was a typo in the above reply.

I had tried with the working URL only, when I try it in the browser it pops up login window and works as expected when credentials provided.

But via POSTMAN with basic auth it returns 200 but no info about cookies. I previewed it and it's nothing but a login window. 

Response is ex: 

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=Edge"/> 

......... etc

In CURL there is no response. 

Can you show me the exact curl command you typed please?

(please blur the username and password)

Are you running Linux/macOS or Windows?

Hi Bruno,

Sorry for the late reply.

CurlCommand.png

I hope i had tried the same way as you mentioned. Please correct me if I am wrong.

Bruno Vincent Community Leader Jan 27, 2019

Hi @Shan

The syntax is different on Windows:

curl -X GET -u "username:password" --silent --output NUL -c - "http://jira.company.com:8080/login.jsp"

Hi Bruno,

It works. Thanks a lot.

 

Hi Bruno,

In the curl command I can able to use the cookies and fetch the user details as well.

I have tried to implement the approach using Java (Jersey api).

PFB code is,

Client client = Client.create();              --> instance INS
client.addFilter(new HTTPBasicAuthFilter(crowdUserName, crowdUserPassword)); --> This is equivalent to curl -u username:password ******

Using this I can able to fetch the cookie details as like in curl command.

Passing these cookies in further calls/requests without the filter (i.e no user name & password, so only Client client = Client.create();) similar to curl command

Without adding the filter the further calls are not working (returns 401 unauthortised error) --> Q1

So I thought to pass the filter with credentials for further calls or use the above mentioned client instance INS along with/without cookies (I am aware that this is wrong, reason is its basic auth, not using cookies)

It works but it is creating multiple sessions in JIRA. --> Q2

Can you please let me know solutions for any of the below.

Q1 -> Is there any api or way to resolve the 401 error?

Q2 -> Is there any possibility to avoid creating multiple sessions in jira?

Thanks in advance.

Bruno Vincent Community Leader Feb 06, 2019

Hi @Shan

The way to go is what I described in my first post (this is basically what you called Q1):

1. the first request with the username and password in the basic auth header to get the cookies

2. the second request without the basic auth header but embedding the cookies you got in the response to your first request.

If it works with curl/postman/whatever http client, it will work with any code sending http requests. So if it is not working now, that means that there is something wrong in your Java code.

I suggest that you enable DEBUG logging on 'com.atlassian.crowd' in Jira to understand why the request you're sending ends up in 401.

Hi Bruno,

Thanks for the response. I will check and correct the java code if any issues.

Hi @Bruno Vincent , I'm trying to do the same, but against web SSO (id.atlassian.com) for CLOUD VERSION, since I need to get the cookie--> cloud.session.token in order to download some attachments from confluence.

I tried this:


curl -X GET -u "USERNAME:PASSWORD" --output /dev/null -c - 'https://id.atlassian.com/login'

And I'm getting cloud.session.token ---> DELETED, not even sure if login is working in this way, I doubt it.

a1.PNGAny Idea if login through SSO using Curl or WGET is even possible nowadays?

Bruno Vincent Community Leader Jan 29, 2020

Hi @Esteban Mirizio 

Cookie-based authentication has been deprecated in Atlassian Cloud. You should now use API tokens instead: https://confluence.atlassian.com/cloud/api-tokens-938839638.html

Thank you so much! Worked like a charm!

@Bruno Vincent , let me know if you need to create another question for this, but I'd like to bypass SSO for Jira as well when I try to hit the login page, but for server. I keep getting redirected even with the JSESSIONID. Any idea on how to bypass this? Thanks!

curl --cookie 'JSESSIONID=<cookie>' https://<base_url>/login.jsp -I

 

Hi @Bruno Vincent 

 

I hope you can help me, I should retrieve the crowd.token_key from java code

 

{code}

con = (HttpURLConnection) url.openConnection();
con.setRequestMethod("GET");
con.setRequestProperty("Authorization", "Basic " + encoding);
final int resp = con.getResponseCode();

if (resp != 200) {
throw new Exception("Target Response : " + resp);
}
con.getContent();
final String cookieValue = "";
final List<HttpCookie> cookies = cookieManager.getCookieStore().getCookies();
for (final HttpCookie cookie : cookies) {
log.debug(cookie.getDomain());
log.debug(cookie.getName());
log.debug(cookie.getValue());

}

{code}

But I receive the JSESSIONID as the only cookie, some idea ?

Bruno Vincent Community Leader Jul 25, 2020

Hi @Francesco Arieta 

Does it work in Postman/curl?

I guess you should first make sure that Crowd SSO is enabled in Jira 

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Confluence Cloud

Share your Confluence Cloud experience for a chance to win $500!

Take our 5-minute survey to win a $500 Visa gift card! Are you currently using Confluence Cloud? We want to hear from you! Fill out this quick survey about your Confluence Cloud experience so we ...

81 views 1 5
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you