Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Where can I find documentation to the Captcha challenge link in "X-Authentication-Denied-Reason" ?

Julius Böcker
Julius Böcker December 2, 2019

I want to make proper response to a REST api call that gets denied because the user has too many failed login attempts and needs to solve a Captcha challenge.

By looking at the response I found out that Jira returns the header "X-Authentication-Denied-Reason" with a link to the login-page where the user needs to enter a Captcha.

Is there any official documentation on this? I only found this old blog post : 
https://www.atlassian.com/blog/archives/jira_search_with_rest

Answer
Watch
Like Be the first to like this
1605 views

1 answer

0 votes
Earl McCutcheon
Earl McCutcheon
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 3, 2019

Hi @Julius Böcker ,

Welcome to the community.  When it comes to captcha the setting is a security measure so it's designed to not be able to be bypassed if enabled and triggered.  Also, captcha can either be enabled or disabled so there is not a selective option for api accounts specifically (all or nothing setting).  So, if enabled, it requires the manual captcha confirmation to re-enable login for the account via the UI.

There is a discussion in the following post of alternative approaches such as IP tables to rate limit calls rather than using captcha, and suggesting the third party application fail2ban that might be a good approach to take in lieu of the captcha settings, but I recomend checking out the suggestions to see if any would work out in your case:

Regards,
Earl

View More Comments
Julius Böcker
Julius Böcker December 6, 2019

Hi @Earl McCutcheon 

Thanks for the reply.

This is helpful if you want to configure your Jira for other Captcha solutions. But I need a solution where no extra Jira administration is needed.

To specify what I am trying to do:
An external software makes a REST Api call to Jira. The user entered his password incorrectly too many times. The error he gets is a simple "failed login".
He might not know that he needs to enter a Captcha and thinks something else is wrong. Only after he opens Jira in the browser, he will be informed about it.

The goal is not to bypass the Captcha, but to inform the user and send him a link to Jira where he can enter his Captcha.

This is theoretically possible with the information from the header in "X-Authentication-Denied-Reason". But there is no official documentation, so it wouldn't be save to implement it. 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events