REST + SSO + Atlassian Account + JIRA

Hi Sam,

Thanks for looking. I'm trying to use the REST API on my instance.

I am not using any "auth" on the JIRA side, but trying to figure out which cookies need to be set and where to get them from. What I have pieced together based on my experimentation with cURL and looking at cookies in the browser is that I have to get the following cookies:

• JSESSIONID
• __ATL_TOKEN
• studio.crowd.tokenkey

I can get the first two, but not the last. I'm not sure how that is set, or where it comes from.

Does a cURL using basic auth not work for you? This works OK for me:

curl -D- -u user\@example.com:password -X GET -H "Content-Type: application/json" https://yourjirainstance.atlassian.net/rest/api/2/issue/createmeta

Note I use my Atlassian Account login details (so email address and password, instead of username and password).

Based on this example: https://developer.atlassian.com/cloud/jira/platform/jira-rest-api-basic-authentication/

To do cookie-based auth, I log in over REST using POST /rest/auth/1/session and use the resulting session cookie in subsequent requests along the lines of the example here.

Edit: updated links to point to the newer versions of the cloud REST API docs. 

This does not work for me. I believe the reason is due to the recent upgrade to Atlassian accounts (SSO).

Can you post an example of the cURL request you are doing? With generic password and URL, of course : )

1)

curl -i -X POST -H "Content-Type: application/json" https://id.atlassian.com/id/rest/login --data '{"username":"me@domain.com","password":"password"}'

-> results in __ATL_TOKEN cookie

2) 

curl -k https://domain.atlassian.net --cookie "__ATL_TOKEN=<the value>; Version=1; Domain=.atlassian.com; Path=/; HttpOnly; Secure"

-> results in JSESSIONID

3) 

curl -k https://domain.atlassian.net/rest/auth/1/session --cookie "__ATL_TOKEN=..." --cookie "JSESSIONID=..."

-> 401

Note that the second step doesn't really seem to do anything.

I think you just need to do this:

1) curl request to your cloud instance:

curl -i -H "Content-Type: application/json" -X POST -d '{"username":"username","password":"password"}' https://yourdomain.atlassian.net/rest/auth/1/session

 (note this request takes username, not email address)

 -> results in a JSON response that contains something like:

"session":{"name":"somename","value":"6E348...."}

The session name somename might be one of 'studio.crowd.tokenkey' OR  'JSESSIONID' OR 'cloud.session.token'

2) curl request using the session name and the token value from the JSON response in step 1.

So, if session name was studio.crowd.tokenkey, then use:

curl -v --cookie "studio.crowd.tokenkey=6E348...." https://yourdomain.atlassian.net/rest/auth/1/session

Or if session name was cloud.session.token, then use:

curl -v --cookie "cloud.session.token=6E348...." https://yourdomain.atlassian.net/rest/auth/1/session

This works for me. Let me know if it solves or if you have further issues and I'll try to help again.

I get the following after step 1:

{"errorMessages":["Login failed"],"errors":{}}

I get this whether it's my username, or my email.

I only get the error if I am using incorrect username/password.

Does the password you are using defintely log you in to https://{your-instance-name}.atlassian.net?

It sounds like you must be tying to log in/out through the browser in order to look at the cookies, but I thought I should check.

If you haven't tried already, go to https://id.atlassian.com and logout. Then go https://{your-instance-name}.atlassian.net and try to login.

Atlassian invalidated some Atlassian Account passwords recently (read this security notice for more info). Is there a chance your account was affected and you need to reset your password?

Perhaps try change your password via: https://id.atlassian.com/manage/change-password in case that sorts things out.

Assuming you are an admin on the instance, go to https://{your-instance-name}.atlassian.net/admin/users and double check you are using the right username.

By co-incidence, there have been many login-related problems with Atlassian services today. Atlassian are still monitoring the problem, so perhaps there is a chance you are still affected. You could request support from Atlassian via https://support.atlassian.com/contact/ 

Other than that, I'm not sure what else I could be missing. I'm not aware of anything in the Atlassian Account migration that changes the login method. I use my Atlassian Account to log in to several different instances and have no problems with the REST API - using either basic auth or getting a session token using /rest/auth/1/session and using cookie-based-auth.

You don't use SAML SSO to log in, do you?

Atlassian recently converted my account to an "Atlassian Account" https://confluence.atlassian.com/cloud/atlassian-account-for-users-873871199.html

My understanding is that I am technically using SSO: The Atlassian edition.

https://jira.atlassian.com/browse/ID-6230

I believe this is the underlying issue: https://confluence.atlassian.com/bitbucket/upgrade-to-atlassian-account-829056056.html

Well this is odd... I changed my password, then tried to login through REST using just my username (not email) and it worked.

Great! Glad it worked in the end.

Maybe the change ironed out some problem hanging over from today's login issues.

Do both methods now work for you?

Basic Auth with email + password (In this request, I use '\' to escape the @ sign):

curl -D- -u yourname\@example.com:password -X GET -H "Content-Type: application/json" https://yourdomain.atlassian.net/rest/api/2/issue/createmeta

Cookie-based with username + password:

curl -i -H "Content-Type: application/json" -X POST -d '{"username":"username","password":"password"}' https://yourdomain.atlassian.net/rest/auth/1/session

p.s. Another thing to check would have been if you had tiggered a CAPTCHA which was preventing login:

From: https://developer.atlassian.com/cloud/jira/platform/jira-rest-api-basic-authentication/#advanced-topics

"CAPTCHA is ‘triggered’ after several consecutive failed log in attempts, after which the user is required to interpret a distorted picture of a word and type that word into a text field with each subsequent log in attempt. If CAPTCHA has been triggered, you cannot use JIRA’s REST API to authenticate with the JIRA site.

You can check this in the error response from JIRA – If there is an X-Seraph-LoginReasonheader with a a value of AUTHENTICATION_DENIED, this means the application rejected the login without even checking the password. This is the most common indication that JIRA’s CAPTCHA feature has been triggered."

I guess you must be right. Both methods work... Though, according to the documentation, the second one shouldn't :-/

Edit: I did check for a CAPTCHA. This isn't my first Atlassian REST login rodeo ;-)

Which docs say the 2nd one shouldn't?

I saw it here: https://confluence.atlassian.com/cloud/the-upgrade-to-atlassian-account-873871204.html#TheupgradetoAtlassianaccount-RESTAPIs

> Before your users' accounts upgrade to Atlassian account, REST APIs that accept user credentials expect a username and password. After the upgrade, REST APIs that accept Atlassian account user credentials expect a verified email address instead of a username.

Oh. I'd seen that one, but I had somehow interpreted that as only applying when doing basic auth, but not when logging in and getting a cookie using /rest/auth/1/session.

But now you point it out, it doesn't make any distinction like that at all!

I guess I got it in my mind since the Cloud REST API spec and developer docs examples all show username rather than email in the example JSON data for posting to /rest/auth/1/session.

Eh, behind big companies are still people. I guess I should file a bug but hopefully this discussion has enough keywords to show up in web searches.

Thanks for your help Sam!

I too can no longer authenticate to our cloud instance using basic auth.  We are using Google/G Suite authentication and Atlassian have mandated enabling the Atlassian Account support this week.  We've enabled that and now can't use basic authentication to authenticate to the REST API.

We were previously using email/password for the instance.  That stopped working, but the email/password from id.atlassian.com is also not working.

Also just done basic test with curl ... no luck.

I've raised a support request, but if anyone has any ideas I'd love to hear them.

Hi Matt - it's probably worth asking a new question here in the community about that. 

Mention Google/G Suite in the question title and it will make it much clearer to people what you need help with and avoid confusion with Sohail's question here, which is not to do with Google/G Suite authentication.

People are more likely to find your question and help if it is posted as a new unanswered question, rather than in a comment on this thread, which is marked as 'solved'.

Anyway, I'm guessing you already tried all the stuff suggested above?

Did you also have look at this old question which might help with some things to try?:

https://community.atlassian.com/t5/JIRA-questions/Does-basic-HTTP-Authentication-work-for-Google-Apps-bound-JIRA/qaq-p/405032

Hey @Sam Hall  - I'm trying to do a simple GET request to see the list of issues assigned to a user, it constantly gives me a 401. I tried changing my password, logging out and logging in back with the new password, I was able to login. But the curl request gives me a 401 every time. We are using JIRA 7 and I believe the Access to allow REST API integration is enabled by default. Could you please help me out here?

curl -D- -u emailaddress:password -X GET -H "Content-Type: application/json" https://mydomain.net/rest/api/2/issue/?jql=assignee=emailaddress

Hey @[deleted]  - I am trying to do a simple GET to see all the issues assigned to a particular user. But I am constantly getting a 401. I've tried resetting my password, logging out and logging in, but doesn't seem to help. Could you please help me out here?

curl -D- -u email\@example.com:password -X GET -H "Content-Type: application/json" https://mydomain/rest/api/2/issue/?jql=assignee=emailaddress

but that all are not free/open source and for small cos it is too big amount to pay. can you suggest any free implementation for sso to use here in jira and confluence

What about supporting login through Okta's SSO? Lots of companies are using this and it is currently not working.