Our software has been down since Microsoft turned off basic authentication recently. We can no longer create tickets through e-mail.
We noticed that the latest version had something other than basic Authentication. OAuth2.0. So we updated to 8.13.1.
Working with the e-mail team we were able to complete the oAuth2.0 setup details in Jira on the Microsoft side. However, when we go to test it just does a loop.
After clicking the test we login with the user and password and we receive a pop-up that says someone with admin rights needs to login. We have an O365 admin login and confirm the pop-up that allows the app. Then it reloads the Jira screen. At this point we can do the test link again and the same thing happens. Login/Admin Login/Allow. It just does this loop.
Question. There is that "redirect URL" we have registered that points to our server. In order to complete this authentication process does Microsoft actually need to make a connection back to our server using that URL? That wouldn't work because the DNS doesn't resolve externally and because it is not a public server.
That is the main question. Should this process be able to be setup if our Jira server is not setup to be accessed from the Internet? If yes, where would I find the logs containing the most accurate error messages for this process. If no, is there another way to login to O365 so we can retrieve our IMAP e-mails and have the cases created?
Any ideas would be greatly appreciated as we are basically down.
Just for us to stay on the same page, are you followed the below steps?
OpenId permissions: offline_access IMAP: IMAP.AccessAsUser.All POP: POP.AccessAsUser.All
I'm going to try a reply again today. This form hasn't been allowing me to reply and then I accidentally posted in the "community" side I guess since I could only create a new post. Which, since this says "community" as well got confusing...
We verified those settings on the Microsoft side and in Jira and after login from the test link, we receive this pop-up as it returns to the Jira webpage. It looks like it accepted the login before returning:
The connection has failed.
Check the application logs for details.
I'm not sure exactly where in the logs to find the error.
Also, to verify scope... it formatted a little strange in your instructions.
Are the asterisks included in the scope? The brackets? Quotes? I'm not sure if I'm entering it right and it doesn't appear to check it for validity in the Jira configuration form.
@Artur Moura that answer looks great. quick question, I'm trying to do this in our on-prem Jira, and when it comes to testing the connection it keeps redirecting me to a url that looks like the one below
That returns a 404 every time, which is a bit odd. Not sure what to do from here.
Any help will be greatly appreciated.
same here followed all the steps above, OAuth connection works as expected. but mail retrieval is failing with:
Messaging Exception in service 'com.atlassian.jira.service.services.mail.MailFetcherService$MessageProviderImpl' when getting mail: NQL3 BAD User is authenticated but not connected.javax.mail.MessagingException: NQL3 BAD User is authenticated but not connected.
The connection is no longer open, messages marked as deleted will not be purged from the remote server: outlook.office365.com until the next run.
FYI in case anyone else sees this - I had a jira deployment working just fine with OAuth2 + M365 w/ IMAP and it suddenly started reporting this error a couple days ago.
Turns out someone had turned off the 'IMAP Access' allowed flag on the mailbox account. It looked like it was authenticating just fine, but was not able to access anything.
If you see the same 'BAD User is authenticated but not connected.' error - check to make sure IMAP is still enabled on the account.
Just to reiterate a few details,
1. When you do the authorization step you need to be logged to the pc as the Jira mail account. This is because this initial authorization is between the browser and Microsoft, not between the Jira server and Microsoft.
2. These are the scopes you need
These need to be set up both in both on the Microsoft account side and in the OAuth2 config in Jira, ie, they need to match. I'm not 100% sure you need pop if you are using imap and vice versa but having both won't hurt. You don't need the graph api mail scopes.
Yeah I’m aware of that. I know I said it’s an on-prem system but I’m actually accessing it remotely over the internet.. so yeah, it’s got internet connectivity.
We created a support ticket and the person helping only got as far as demonstrating that when setting a connection like this one, the redirect will be to a Microsoft URL, which is expected because we’re trying to authenticate with Microsoft right? So why was it taking me to a Jira URL that doesn’t exists?
Anyhow, the atlasian support didn’t really know why it was doing that and started recommending doing some server configuration updates around SSL and other network stuff, and at that point pit client decides that it was easier to use plug-in from the store to get the job done.. so they did that it and to all works fine
I think it’s called Metainf.
The person that didn’t it sent me these messages (related to that plug in)
”so, tried setting it up with oAuth connector with Microsoft - doc is very good, however got timeouts
got it processing using SMTP connector/ using TLS, but now trying to figure our how to get inbound email to trigger new jobs in ServiceDesk”
“ok - all working, not using oAuth at all, the plugin added other mail delivery options which are working...”
hoep that helps
Hi @Andres Pinzon ,
We've other cases where the issue was with the proxy settings related to response headers, may you refer to this https://confluence.atlassian.com/kb/the-oauth-login-and-approve-has-the-wrong-url-when-using-iis-as-a-proxy-540082192.html documentation, which has some diagnosis to make and resolution steps as well.
Hope it helps!