Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

JIRA Service Desk Server – change the customer’s password via REST API

CrisP.
CrisP. October 9, 2017

Hello,

I need a solution for changing the user’s password into an external customer portal via REST API (Jira Service Desk Server) using the username and password of the authenticated user as REST API authentication credentials. The available APIs listed in Jira related to this action are:

-    /rest/api/2/myself/password (using the authenticated user’s credentials for API authentication)
-    /rest/api/2/user/password (using Jira admin credentials for API authentication)

I am interested in using the first api (based on the customer’s credentials) in order to avoid any security issue that might appear, but it does’t work, seems like the customer does not have enough rights to perform this action.

Do you know if this api was disabled or are there any solutions to change the customer’s password without admin credentials?


Thanks in advance!

Answer
Watch
Like Be the first to like this
1991 views

1 answer

1 vote
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 9, 2017

If you were using Jira Cloud, then I could understand this REST call not working.  There have been recent changes to Jira Cloud to prevent the use of that and other related Cloud API Rest endpoints.  Those changes are explained in User management REST API changes in JIRA Cloud.

 

But since you are using Jira Server, these API endpoints are still valid, and available to end users to call themselves.   These are still documented in the current Jira REST Server API Reference guide : api/2/myself.  I went through my own Jira 7.5.0 Server version and tested this to make sure that I could reset my non-admin account via a REST call.

To test this I used the following curl to change this password:

curl -D- -u username1:abc123 -X PUT --data "{\"currentPassword\": \"abc123\", \"password\": \"sphere\"}" -H "Content-Type: application/json" http://localhost:8750/rest/api/2/myself/password

 

In this case my user account was called 'username1' and the password was 'abc123'.   After I ran this, I found this account could login with the new password 'sphere'.

So, yes, even non-admin Jira server users should be able to make a REST call in order to change their own password.  

In addition to using a REST call like this, if the users can at least login to a customer portal in Service Desk, in the top right corner of that page, under their profile, they can also use a link there to "Change Password".  I realize this isn't the same as using the REST call, but it provide another way for end users to change their passwords.   Both that and this REST call depend on the user actually being able to login to the Jira site with their current credentials though.

View More Comments
CrisP.
CrisP. October 12, 2017

Hello,

Thanks for your input, Andrew!

We are currently using Jira Core 7.4.2 with Jira ServiceDesk  3.6.2 and we don’t have the change password button in the Customer Portal.

Can you please provide a printscreen that shows where is that button in your instance ?

 

We also tried again to change the password of a customer (with the following JIRA settings:
- Group name: jira- customers
- Service Desk project role : Service Desk Customers )

using the CURL indicated by you, but we get a 302 response:

curl -D- -u demouser:demouser-X PUT --data "{\"currentPassword\": \"demouser\", \"password\": \"sphere\"}" -H "Content-Type: application/json" https://..../rest/api/2/myself/password
HTTP/1.1 302
Date: Wed, 11 Oct 2017 12:42:28 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 0
............
............
X-AUSERNAME: demouser
Location: /servicedesk/customer/portals

 

Thanks!

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 12, 2017

Here is my response when I made this curl call:

HTTP/1.1 204 
X-AREQUESTID: 949x3413x1
Set-Cookie: JSESSIONID=C403B0813D7700CAA150DC669FA79A0C;path=/;HttpOnly
X-Seraph-LoginReason: OK
Set-Cookie: atlassian.xsrf.token=B8SJ-PNJR-K821-T2GD|916e48030d65a17a07e78ebe826102c1b51e9205|lin;path=/
X-ASESSIONID: ycnnj5
X-AUSERNAME: hh
Cache-Control: no-cache, no-store, no-transform
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Date: Mon, 09 Oct 2017 20:49:56 GMT

 

In the Jira webpage, the user would have to login to the customer portal first, from there they have to click on their profile:

changepass2.png

That profile page is expected to have a reset password link there:

changepass1.png

 

 

So this is possible to do. I even went back and tested this on a 7.4.2 Jira to make sure.

However there are other possible considerations as to why you might not see this option in the web browser and why the REST call does not work here.   Chief among these is to determine whether these accounts in Jira exist in the Jira Internal User directory, or perhaps if these accounts exist in Jira because they are connected to a LDAP directory that is setup in Jira to Read only.  In cases like this, Jira can't reset the user's password.  Instead the management of the user account is expected to only be managed in LDAP directly.

To determine this, I'd recommend going into Jira under the Cog Icon -> user management, then searching for this username in question.   That page should be able to tell you the specific name of the Directory that user account exists in.   If this is the Jira internal directory, then I would expect Jira to be able to reset this account's password.  But if the directory listed there is a Connected LDAP, or Crowd instance, then it's possible Jira does not have the ability to change this account's password because it's being managed elsewhere.

Like
CrisP.
CrisP. October 13, 2017

Seems like we have some configuration issues.
I will get back to you with an update.

Thanks again.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
TAGS
AUG Leaders

Atlassian Community Events

    See all events