Using Oauth Tokens with curl Edited

I have created an Oauth Token and am using to do a "request" successfully when using Java and the rest-oauth-client-1.0.one-jar.jar

 

java -jar /var/tmp/rest-oauth-client-1.0.one-jar.jar request xxxxxxx https://jira-eng-sjc3.cisco.com/jira/rest/api/latest/issue/JIRA-1244

 

this works perfectly...

 

i get info back on the issue as expected.

 

but have yet to figure out how to do it with "curl", and the users want it...

 

/sw/packages/curl/current/bin/curl -v -X GET -H "Authorization: Bearer xxxxxxxx" -H "Content-Type: application/json" 'https://jira-eng-sjc3.cisco.com/jira/rest/api/latest/issue/JIRA-1244'
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying 171.70.36.75...
* Connected to jira-eng-sjc3.cisco.com (171.70.36.75) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: C=US; ST=CA; L=San Jose; O=Cisco Systems, Inc.; CN=Bundle_SJC1.cisco.com
* start date: Jun 19 21:35:43 2017 GMT
* expire date: Jun 19 21:35:37 2019 GMT
* subjectAltName: host "jira-eng-sjc3.cisco.com" matched cert's "jira-eng-sjc3.cisco.com"
* issuer: C=US; O=HydrantID (Avalanche Cloud Corporation); CN=HydrantID SSL ICA G2
* SSL certificate verify ok.
> GET /jira/rest/api/latest/issue/JIRA-1244 HTTP/1.1
> Host: jira-eng-sjc3.cisco.com
> User-Agent: curl/7.50.1
> Accept: */*
> Authorization: Bearer bxAb6dnCaPiLYmTadrxw6JEmcBrHLxFQ
> Content-Type: application/json
>
< HTTP/1.1 401
< Date: Fri, 13 Jul 2018 18:16:05 GMT
< Server: Apache/2.4.29 (eifweb@cisco.com - CEL 7.x) OpenSSL/1.1.0f mod_fcgid/2.3.9
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-AREQUESTID: 676x373633x1
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-ASEN: SEN-2124079
< X-AUSERNAME: anonymous
< Cache-Control: no-cache, no-store, no-transform
< WWW-Authenticate: OAuth realm="https%3A%2F%2Fjira-eng-sjc3.cisco.com%2Fjira"
< Content-Type: application/json;charset=UTF-8
< Set-Cookie: atlassian.xsrf.token=BPUR-R00M-18XV-8SSG|658a0f3d51b8fccefad0edb9c691f5d9db1aa99a|lout;path=/jira;Secure
< P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
< X-UA-Compatible: IE=edge
< Transfer-Encoding: chunked
<
* Connection #0 to host jira-eng-sjc3.cisco.com left intact
{"errorMessages":["You do not have the permission to see the specified issue.","Login Required"],"errors":{}}

appreciate if anyone has any ideas for me.

 

that 

X-AUSERNAME: anonymous

is curious

 

 

 

1 answer

0 votes

When you are using the java jar file in the tutorial, your token is being used to help authenticate you against the REST service, but it's using the java algorithm in that jar file in order to make this authorization handshake correctly.   I am afraid it is not as straight forward as simply passing the token in the headers of a rest call using curl.

In the case of using curl directly, you actually are not being authenticated in that request.  Which is why the response from the REST service is the way it is.  

This call is complex enough when using Oauth tokens that there tends to be an expectation that you will use a coded library to make this call.  That's not to say it is impossible to make an Oauth rest call to Jira via curl, but it's not quite as easy as say a basic authorization request is via curl where you can just pass the parameters.

If you have end users that are making scripting calls or just individual requests, it's probably better to have them use the basic authentication guide instead.  It's less complicated and does not have the expectation that you need a coded library like, java in order to make the call.

My users are currently using Basic Authentication with curl. This presents several issues such as login timeout/lock, passing login username and password in clear text, no persistent connection.
If Basic Authentication is Atlassian's recommendation vs OAuth, how do you suggest we restrict API access from rogue servers/users, not pass login info in clear text and preven login timeout/lock issues?

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Feb 26, 2019 in Jira Software

How to prevent the propagation of unused project schemes, workflows & screens in Jira software

Atlassian ranks project attributes as the third most important factor impacting performance in the category of data. It’s not surprising, since project attributes are precisely the rules used to ma...

595 views 0 6
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you