Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,465,131
Community Members
 
Community Events
176
Community Groups

OAuth Error During Setup Between Jira Align and Jira

Problem

When trying to establish the OAuth link between Jira Align and Jira, the applications aren't able to authenticate to each other.

After clicking the "Request Jira for access" button in the Jira Connector window, you receive the following error:

Welcome to JIRA

The request token cannot be authorized at this time. Try again later and if you continue to receive this error, contact the site administrator.

You will also see the following in the address bar of your browser:

https://<jira-URL>/plugins/servlet/oauth/authorize?oauth_problem=signature_invalid&oauth_signature=...

                      

Diagnosis

Environment

  • Jira Align and Jira are connected together using Application Links
  • The authentication method used is OAuth

Cause

The Application URL on the Jira side of the link does not match the URL that Jira Align is reporting. This can be caused by one of the following scenarios:

  1. Check to make sure that the Consumer Key does not have any spaces in the name and matches exactly in both Jira and Jira Align.
  2. Check to make sure the OAuth Public Key matches exactly in both Jira and Jira Align. 
  3. The Jira Base URL configured in the Jira Align Connector is set to something other than the Application URL defined on the link.
    • The oauth_signature_base_string is calculated using the Application URL so if each side is configured with a different URL, the strings will not match.
    • An example of this scenario is when the base Jira URL and Jira API URL are two different Fully Qualified Domain Names (FQDNs). 
  4. A reverse proxy or port forwarding is configured, and the "Host" header is reporting the wrong host name or port.
  5. If you are using NGINX as the reverse proxy and using the proxy_cache  directive. 
  6. The useBodyEncodingForURI tomcat parameter in the <jira-install>/conf/server.xml is set to true.

In any of these scenarios, the affected applications will usually display other problems as well.

                      

Resolution

Base URL

Applicable to scenario 3.

  • Ensure the Base URL is correct for each application.

Application URL

Applicable to scenario 3.

  • The Application URL should match the Base URL of the other application unless you're bypassing a reverse proxy.

  • If the Application URL does not match the Base URL (and you're not bypassing a reverse proxy) then delete and recreate the Application Link.

Reverse Proxy

Applicable to scenario 4.

  • If using a reverse proxy or port forwarding, ensure the application is correctly configured for use with a reverse proxy.

NGINX Reverse Proxy with  proxy_cache directive

Applicable to scenario 4.

NGINX caching rewrites HEAD requests to GET requests by default which will interfere with application link communication between Atlassian products.

  • Workaround 1: Do not use the proxy_cache  directive in the Nginx configuration
  • Workaround 2: If the proxy_cache  directive is required, then add this to the NGINX configuration which will allow caching to remain enabled without breaking OAuth communication:

    proxy_cache_convert_head   off;
    proxy_cache_key            $scheme$request_method$proxy_host$request_uri;

Tomcat (Jira)

Applicable to scenario 3.

To break down this scenario a bit further:

  • The Jira side is creating the oauth_signature_base_string using the hostname that is defined in the Tomcat server.xml file.
    • proxyName="jira.domain.xyz"
  • The Jira Align side is creating the oauth_signature_base_string using the API URL in the connector configuration.
    • "jiraAPI.domain.xyz"
  • The two oauth_signature_base_strings will not match and the OAuth connection will fail.

Creating a second connector:

  • Copy the existing connector information found in the Tomcat server.xml file and we'll use that as a template to create the second connector.
  • Paste a copy of the existing connector below the first one and change only the Connector port and proxyName.
    • This new Connector port will be different than the first connector and you'll need to adjust the proxy configuration (or load balancer) to point to this new port.
    • The proxyName of the new connector will match the API URL.
  • Example of first (original) connector:
    <Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" scheme="https" proxyPort="443" proxyName="jira.domain.xyz" acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/>
  • Example of newly created second connector:
    <Connector port="8081" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false" maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443" scheme="https" proxyPort="443" proxyName="jiraAPI.domain.xyz" acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/> 

 

0 comments

Comment

Log in or Sign up to comment
TAGS

Atlassian Community Events