Why can't I connect to Microsoft with oAuth2.0 setup?

Paul Roberts December 3, 2020

Hi,

Our software has been down since Microsoft turned off basic authentication recently.  We can no longer create tickets through e-mail.

We noticed that the latest version had something other than basic Authentication.  OAuth2.0.  So we updated to 8.13.1.

Working with the e-mail team we were able to complete the oAuth2.0 setup details in Jira on the Microsoft side.  However, when we go to test it just does a loop.

After clicking the test we login with the user and password and we receive a pop-up that says someone with admin rights needs to login.  We have an O365 admin login and confirm the pop-up that allows the app.  Then it reloads the Jira screen.  At this point we can do the test link again and the same thing happens.  Login/Admin Login/Allow.  It just does this loop.

Question.  There is that "redirect URL" we have registered that points to our server.  In order to complete this authentication process does Microsoft actually need to make a connection back to our server using that URL?  That wouldn't work because the DNS doesn't resolve externally and because it is not a public server.

That is the main question.  Should this process be able to be setup if our Jira server is not setup to be accessed from the Internet?  If yes, where would I find the logs containing the most accurate error messages for this process.  If no, is there another way to login to O365 so we can retrieve our IMAP e-mails and have the cases created?

Any ideas would be greatly appreciated as we are basically down.

Thanks!

3 answers

10 votes
Artur Moura
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 3, 2020

Hi Paul,

Just for us to stay on the same page, are you followed the below steps?

    1. Log in as a user with the JIRA System Administrators global permission.
    2. Navigate to Administration > System > OAuth 2.0
    3. Click on Add new integration
    4. At the "Service provider", select Microsoft
    5. Click on Copy at the Redirect URL field
    6. Let's login to "https://portal.azure.com/"
    7. Click on App registrations
    8. Click on New registration
    9. Let's pickup a friendly name so it will be easier to identify
    10. Under the "Supported account types" section, let's choose "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)"
    11. Under the "Redirect URI" section, let's pickup Web and insert the URL from step #5 above
    12. Click on Register
    13. Click on API permissions
    14. Click on Add a permission
    15. Click on Microsoft Graph
    16. Select Delegated permissions
    17. Let's select the following permissions:
      OpenId permissions: offline_access
      IMAP: IMAP.AccessAsUser.All
      POP: POP.AccessAsUser.All
      
    18. Click on Add permissions
    19. Click on Grant admin consent for ...
    20. Click on Certificates & secrets
    21. Click on New client secret
    22. Choose a description and expiration date
    23. Take note of the Value generated (this will be used as the "Client secret" at Jira)
    24. Click on Overview
    25. Take note of the Application (client) ID (this will be used as the "Client ID" at Jira)
    26. Let's go back to Jira and complete the configuration by inserting the following details:
      1. Client ID (from step #25 above)
      2. Client secret (from step #23 above)
      3. Scopes: "https://outlook.office.com/IMAP.AccessAsUser.All", "https://outlook.office.com/POP.AccessAsUser.All" and "offline_access"
    27. Click on Save
    28. Test the connection
      If the connection was successful, please proceed
    29. Navigate to Administration > System > Incoming Mail
    30. Click on Add mail server
    31. At the "Service Provider" field, let's pick up Microsoft Exchange Online / Outlook (IMAP)
    32. At the "Username" field, insert the email address being used by Jira
    33. At the "Authentication method" field, select the new server created under the OAuth 2.0 menu
    34. Click on Authorize
    35. Click on Test Connection
    36. Click on Save

Cheers,

Artur

Paul Roberts December 9, 2020

I'm going to try a reply again today.  This form hasn't been allowing me to reply and then I accidentally posted in the "community" side I guess since I could only create a new post.  Which, since this says "community" as well got confusing...

 

Hi,
We verified those settings on the Microsoft side and in Jira and after login from the test link, we receive this pop-up as it returns to the Jira webpage.  It looks like it accepted the login before returning:
__
The connection has failed.
Check the application logs for details.
__
 
I'm not sure exactly where in the logs to find the error.

Also, to verify scope... it formatted a little strange in your instructions.

Are the asterisks included in the scope?  The brackets?  Quotes?  I'm not sure if I'm entering it right and it doesn't appear to check it for validity in the Jira configuration form.

Thank you!

Artur Moura
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 9, 2020

Hi Paul,

Good to hear from you!

My apologies, my comment was in an unformatted text, but I've fixed it.

Would you please confirm now if it is more clear to read?

Cheers,
Artur Moura

Andres Pinzon January 14, 2021

@Artur Moura   that answer looks great. quick question, I'm trying to do this in our on-prem Jira, and when it comes to testing the connection it keeps redirecting me to a url that looks like the one below

https://jira.xxxxx.com.au/common/oauth2/v2.0/authorize?scope=https%3A%2F%2Foutlook.offic....

That returns a 404 every time, which is a bit odd. Not sure what to do from here. 

Any help will be greatly appreciated.

Damien Turner January 25, 2021

Having the same issue.  My Jira installation is internal and setting up oauth is not working.  The defined scope doesn't work when hitting testing as it doesn't match what was defined in the application in Azure.  Please help !

same here followed all the steps above, OAuth connection works as expected. but mail retrieval is failing with:

Messaging Exception in service 'com.atlassian.jira.service.services.mail.MailFetcherService$MessageProviderImpl' when getting mail: NQL3 BAD User is authenticated but not connected.javax.mail.MessagingException: NQL3 BAD User is authenticated but not connected.
The connection is no longer open, messages marked as deleted will not be purged from the remote server: outlook.office365.com until the next run.

Nathan Neulinger September 2, 2021

FYI in case anyone else sees this - I had a jira deployment working just fine with OAuth2 + M365 w/ IMAP and it suddenly started reporting this error a couple days ago.

 

Turns out someone had turned off the 'IMAP Access' allowed flag on the mailbox account. It looked like it was authenticating just fine, but was not able to access anything. 

If you see the same 'BAD User is authenticated but not connected.' error - check to make sure IMAP is still enabled on the account. 

Like Artur Moura likes this
Jim Birch
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 23, 2022

Just to reiterate a few details,

1. When you do the authorization step you need to be logged to the pc as the Jira mail account.  This is because this initial authorization is between the browser and Microsoft, not between the Jira server and Microsoft. 

2. These are the scopes you need

offline_access
https://outlook.office.com/POP.AccessAsUser.All
https://outlook.office.com/IMAP.AccessAsUser.All

These need to be set up both in both on the Microsoft account side and in the OAuth2 config in Jira, ie, they need to match.  I'm not 100% sure you need pop if you are using imap and vice versa but having both won't hurt.  You don't need the graph api mail scopes.

Like Artur Moura likes this
0 votes
Bruce Tran January 7, 2022

What is the name of the plugin? And is it free?

0 votes
Artur Moura
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 3, 2021

Hi @Andres Pinzon 

For the OAuth work as expected, is supposed your Jira has internet access and be able to be accessed by Microsoft.

Artur

Andres Pinzon February 3, 2021

Yeah I’m  aware of that. I know I said it’s an on-prem system but I’m actually accessing it remotely over the internet.. so yeah, it’s got internet connectivity.

We created a support ticket and the person helping only got as far as demonstrating that when setting a connection like this one, the redirect will be to a Microsoft URL, which is expected because we’re trying to authenticate with Microsoft right? So why was it taking me to a Jira URL that doesn’t exists? 

Anyhow, the atlasian support didn’t really know why it was doing that and started recommending doing some server configuration updates around SSL and other network stuff, and at that point pit client decides that it was easier to use plug-in from the store to get the job done.. so they did that it and to all works fine

Damien Turner February 3, 2021

Do you know what application they used ? 

Andres Pinzon February 3, 2021

I think it’s called Metainf. 

The person that didn’t it sent me these messages (related to that plug in)

”so, tried setting it up with oAuth connector with Microsoft - doc is very good, however got timeouts
got it processing using SMTP connector/ using TLS, but now trying to figure our how to get inbound email to trigger new jobs in ServiceDesk”

then

“ok - all working, not using oAuth at all, the plugin added other mail delivery options which are working...”

 

hoep that helps

Like # people like this
Artur Moura
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 3, 2021

Hi @Andres Pinzon ,

We've other cases where the issue was with the proxy settings related to response headers, may you refer to this https://confluence.atlassian.com/kb/the-oauth-login-and-approve-has-the-wrong-url-when-using-iis-as-a-proxy-540082192.html documentation, which has some diagnosis to make and resolution steps as well.

Hope it helps!

draganvucanovic September 9, 2021

@Andres Pinzon , plugin you're talking about, is it "Email this issue" ?

I still have same question, created support ticket, waiting reply

Bruce Tran January 7, 2022

@Andres Pinzon 
What is the name of the plugin? And is it free?

Ragini Sharma October 17, 2022

@Artur Moura 

I need your help !

We are unable to get the option "Copy" in Oauth setup in JSM.

Its greyed out. 

Can you please help why is it happening like this ?

What might be the reason ?

Suggest an answer

Log in or Sign up to answer