Dear Jira doers,
I'm trying to use the new OAuth 2.0 authentification feature from the last Jira 8.13.0 release. I followed the process (configured OAuth 2.0 link, registered and configured application in Azure AD). When I would test Jira mail server, "Authorze" step is Ok. But, at the last step, "Test Connection", I got "AuthenticationFailedException: AUTHENTICATE failed".
Has someone an idea to overcome this faillure ?
Thanks,
Xavier
Hi,
After help from Atlassian, my concern had been solved. Two important points:
- Scopes used within Jira OAuth2.0 should match with permisisons setting in Azure application registration. ("https://outlook.office.com/IMAP.AccessAsUser.All", "https://outlook.office.com/POP.AccessAsUser.All" and "offline_access");
- Jira admin who configures mail servers should have access permission to the authorized mailboxes in Azure application.
Regards,
Xavier
Thanks for posting your solution.
When I look for those scope options they aren't available to be chosen in the app registration.
When selecting the user account to test with is it just testing connecting or trying to access a mailbox ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Sorry I had not seen the notification mail before. If it's always relevant, I'm not sure that there would be an attempt to access the mailbox, but it should check the complete connection to the mailbox.
Xavier
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We had the same issue. We could sometimes get the mail server to save, but the handlers would fail. The mailbox accounts needed the IMAP role, OAUTH needed the scopes listed above, AND we had to be logged on as the mailbox account when configuring the mail server.
However, we had a few systems where logging on as the mailbox account wasn't possible (and I really didn't like giving the mailbox account admin access in Jira)... so I found a workaround that doesn't require you to make the mailbox account an admin in Jira (it doesn't even need to be a Jira account):
1. Open a fresh browser with no cache (I used an incognito window)
2. Go to office.com and logon with the email account
3. Once authenticated, open Jira in a new tab and logon as yourself
4. Configure the mail server. After clicking authorize, you should have the option to use the mailbox account that you used in Step 2.
5. Test and save.
6. Test your mail handler.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Xavier Tang Thank you thank you! You're a lifesaver. I wouldn't have thought in a million years to give the mailbox owner admin rights and configure the mail server as the mailbox owner. Worked perfectly for me!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Xavier TangI am facing the same issue. Even I saw your other post about enabling Oauth 2.0 .
My scope is the same in both azure and Jira. So the first point may not be valid to me.
About the second point. I have access to the mailbox with my jira admin account. So what and where exactly should we have access to mailbox in azure ?
Jira admin account can be accessible with https://outloo.office365.com/owa/<MailBox> . Anything else I can validate for the second point to make sure I have access to mailbox in azure?
Any help much appreciated.
Thanks,
Om
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I found that I should be logged in Jira as the owner of the mailbox and configure the mail server. Once connection test is Ok and configuration saved, I remove the admin permission of the mailbox owner if he (or it) is not a real Jira admin, and I configure then the mail handler in my own name.
Regards,
Xavier
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Xavier Tang Yes, I even tested with the same mailbox owner. I added mail box owner to jira admin and then tested the connection. Still the same error. I have asked my outlook exchange admin to check but he was seeing the request is with my name. But in jira logs says
2021-04-14 15:07:35,694-0400 https-openssl-nio-8443-exec-7 url: /jira/secure/admin/VerifyPopServerConnection!update.jspa; user: Rational.Support ERROR Rational.Support 907x739x1 1hnw9gr 10.xx.xx.xx /secure/admin/VerifyPopServerConnection!update.jspa [c.a.j.p.mail.webwork.VerifyMailServer] Unable to connect to the server at outlook.office365.com due to the following exception: javax.mail.AuthenticationFailedException: AUTHENTICATE failed.
Here is my scope
https://graph.microsoft.com/offline_access
https://graph.microsoft.com/IMAP.AccessAsUser.All
https://graph.microsoft.com/POP.AccessAsUser.All
It is same configuration in both Azure and Jira. Do you think anything wrong in scope ?
Do we need to have mailbox owner to be Azure app owner ?
Thanks,
Om
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Xavier Tang Is your scope same as me? I have it graphs instead of atlassian recommendation .
Did you have scope as below ?
https://outlook.office.com/IMAP.AccessAsUser.All
https://outlook.office.com/POP.AccessAsUser.All,
offline_acc
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am able to connect it now. It may be help for others.
1)
I just entered the scope AS IS in JIra but in my Azure it is graph scope. That URL is different.
https://outlook.office.com/IMAP.AccessAsUser.All
https://outlook.office.com/POP.AccessAsUser.All,
offline_access
2) I logged into jira with mail box ID itself. This mail box ID added to Jira-administrator group.
Then it is success the authorization and test connection.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.