Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to perform cookie based authentication in crowd + Jira + SSO using Rest API's

Shan
Shan January 25, 2019

Hello Team,

I had done some research and found the below details,

To authenticate the Crowd + Jira environment using cookie based authentication i need to have cookie.token_key & JSEESIONID token.

 My main goal is use the cookies to access Jira which is integrated with crowd using REST calls.

* crowd.token_key  - I could not find any source how to retrieve it using REST api 

* In POSTMAN (Rest client) to login to the crowd server as ex: 

http://serverip:8095/crowd/rest/usermanagement/latest/session?validate-password=true

with POST body username.... pwd ... in JSON format.. 

Jira app name & pwd using basic authentication if we provide then it works.

If I do as above it returns the JSESSIONID token but I could not retrieve the crowd token.

I am not sure the above way is proper or not.

I have few questions.

* How to retrieve crowd.token_key and its value using REST APi's

* How to get the JSESSIONID token 

* How to pass these session tokens to retrieve any datas from jira server. Ex: issues , users ... 

 NOTE: Please do not post the way using crowd libraries. like CrowdClient API's

Thanks in advance.

 

Answer
Watch
Like Be the first to like this
4932 views

3 answers

1 vote
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 25, 2019

Hi @Shan

You don't need to request Crowd to get a crowd.token_key cookie. A simple request to Jira is enough. This is a better approach as you won't need to expose jira's application name and password.

Here is the workflow:

1. Request the login URL of Jira (with username and password in basic authentication).

You will get a crowd.token_key cookie, a JSESSIONID cookie and an atlassian.xsrf.token cookie.

For instance:

curl -X GET -u "username:password" --silent --output /dev/null -c - 'http://jira.company.com:8080/login.jsp'

Will return:

# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_jira.company.com    FALSE    /    FALSE    0    JSESSIONID    ABC*****************************
#HttpOnly_jira.company.com    FALSE    /    FALSE    0    crowd.token_key"123*****************************"
jira.company.com    FALSE    /    FALSE    0    atlassian.xsrf.token    XYZ*****************************

2. Now, send whatever request you want to Jira by adding all 3 cookies.

For instance:

curl -X GET -H "Accept: application/json" -b "JSESSIONID=ABC*****************************;crowd.token_key=123*****************************;atlassian.xsrf.token=XYZ*****************************" 'http://jira.cleito.com:8080/rest/api/2/myself'

Will return your user profile in JSON format.

View More Comments
Shan
Shan January 25, 2019

Hello Bruno,

Thanks a lot for your reply.

Using curl I did not get any response in the command prompt. It was just blank.

I had tried as you mentioned in the first step using POSTMAN Rest client, 

as "http://Serverip:9090/login" with my user name & pwd using basic authentication. 

It did not work, and return 404, i feel the url is wrong.

Normally we will use the url as 

"http://serverip:9090/jira/rest/auth/1/session" along with body of credentials with POST.

Correct me if I am wrong.

One more point to note that I did not configure a domain for Jira as i am using as localhost/server ip directly.

Like
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 25, 2019

Hi @Shan

The URI should be /login.jsp not /login 😉

But it does not really matter, you can use any valid Jira URL. Since the first time you send your username and password in basic authentication, you will always get a response embedding the 3 cookies that you need to use afterwards.

Like
Shan
Shan January 25, 2019

Hello Bruno,

Sorry, there was a typo in the above reply.

I had tried with the working URL only, when I try it in the browser it pops up login window and works as expected when credentials provided.

But via POSTMAN with basic auth it returns 200 but no info about cookies. I previewed it and it's nothing but a login window. 

Response is ex: 

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=Edge"/> 

......... etc

In CURL there is no response. 

Like
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 25, 2019

Can you show me the exact curl command you typed please?

(please blur the username and password)

Are you running Linux/macOS or Windows?

Like
Shan
Shan January 27, 2019

Hi Bruno,

Sorry for the late reply.

CurlCommand.png

I hope i had tried the same way as you mentioned. Please correct me if I am wrong.

Like
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 27, 2019

Hi @Shan

The syntax is different on Windows:

curl -X GET -u "username:password" --silent --output NUL -c - "http://jira.company.com:8080/login.jsp"
Like
Shan
Shan January 27, 2019

Hi Bruno,

It works. Thanks a lot.

 

Like
Shan
Shan February 6, 2019

Hi Bruno,

In the curl command I can able to use the cookies and fetch the user details as well.

I have tried to implement the approach using Java (Jersey api).

PFB code is,

Client client = Client.create();              --> instance INS
client.addFilter(new HTTPBasicAuthFilter(crowdUserName, crowdUserPassword)); --> This is equivalent to curl -u username:password ******

Using this I can able to fetch the cookie details as like in curl command.

Passing these cookies in further calls/requests without the filter (i.e no user name & password, so only Client client = Client.create();) similar to curl command

Without adding the filter the further calls are not working (returns 401 unauthortised error) --> Q1

So I thought to pass the filter with credentials for further calls or use the above mentioned client instance INS along with/without cookies (I am aware that this is wrong, reason is its basic auth, not using cookies)

It works but it is creating multiple sessions in JIRA. --> Q2

Can you please let me know solutions for any of the below.

Q1 -> Is there any api or way to resolve the 401 error?

Q2 -> Is there any possibility to avoid creating multiple sessions in jira?

Thanks in advance.

Like
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 6, 2019

Hi @Shan

The way to go is what I described in my first post (this is basically what you called Q1):

1. the first request with the username and password in the basic auth header to get the cookies

2. the second request without the basic auth header but embedding the cookies you got in the response to your first request.

If it works with curl/postman/whatever http client, it will work with any code sending http requests. So if it is not working now, that means that there is something wrong in your Java code.

I suggest that you enable DEBUG logging on 'com.atlassian.crowd' in Jira to understand why the request you're sending ends up in 401.

Like
Shan
Shan February 7, 2019

Hi Bruno,

Thanks for the response. I will check and correct the java code if any issues.

Like
Reply
0 votes
Francesco Arieta
Francesco Arieta July 24, 2020

Hi @Bruno Vincent 

 

I hope you can help me, I should retrieve the crowd.token_key from java code

 

{code}

con = (HttpURLConnection) url.openConnection();
con.setRequestMethod("GET");
con.setRequestProperty("Authorization", "Basic " + encoding);
final int resp = con.getResponseCode();

if (resp != 200) {
throw new Exception("Target Response : " + resp);
}
con.getContent();
final String cookieValue = "";
final List<HttpCookie> cookies = cookieManager.getCookieStore().getCookies();
for (final HttpCookie cookie : cookies) {
log.debug(cookie.getDomain());
log.debug(cookie.getName());
log.debug(cookie.getValue());

}

{code}

But I receive the JSESSIONID as the only cookie, some idea ?

View More Comments
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 25, 2020

Hi @Francesco Arieta 

Does it work in Postman/curl?

I guess you should first make sure that Crowd SSO is enabled in Jira 

Like
Reply
0 votes
Deleted user January 28, 2020

Hi @Bruno Vincent , I'm trying to do the same, but against web SSO (id.atlassian.com) for CLOUD VERSION, since I need to get the cookie--> cloud.session.token in order to download some attachments from confluence.

I tried this:


curl -X GET -u "USERNAME:PASSWORD" --output /dev/null -c - 'https://id.atlassian.com/login'

And I'm getting cloud.session.token ---> DELETED, not even sure if login is working in this way, I doubt it.

a1.PNGAny Idea if login through SSO using Curl or WGET is even possible nowadays?

View More Comments
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 29, 2020

Hi @[deleted] 

Cookie-based authentication has been deprecated in Atlassian Cloud. You should now use API tokens instead: https://confluence.atlassian.com/cloud/api-tokens-938839638.html

Like
Deleted user January 29, 2020

Thank you so much! Worked like a charm!

Like
Vivian Escalante
Vivian Escalante October 9, 2020

@Bruno Vincent , let me know if you need to create another question for this, but I'd like to bypass SSO for Jira as well when I try to hit the login page, but for server. I keep getting redirected even with the JSESSIONID. Any idea on how to bypass this? Thanks!

curl --cookie 'JSESSIONID=<cookie>' https://<base_url>/login.jsp -I

 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Crowd
Crowd
TAGS
AUG Leaders

Atlassian Community Events

    See all events