HTTPBasic token authentication for JIRA server?

Jeffrey Lemay May 13, 2022

My company uses JIRA server 8.20.7.  I have API tokens created using our web interface.

I've connected to REST API using OAuth + token, and I've also connected using HTTPBasic + password.

Is it possible to connect using HTPPBasic + token for JIRA server instances?  JIRA Cloud supports HTTPBasic authentication with token by replacing your password with the token string.  Does JIRA Server support this too?

If so, can someone provide a curl example?

1 answer

0 votes
Radek Dostál
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 13, 2022

Why would you want to combine them? You only need one. They're headers, nothing stops you from supplying both in any HTTP request, but there is no need for it. Preferably of course you would want to use tokens as basic authentication has more downsides to it.

Jeffrey Lemay May 13, 2022

Thanks @Radek Dostál .  I'm not sure why the intent is relevant here.

Jira Cloud supports "HTTPBasic+token" authentication by replacing your password with your token string.  This implementation is more secure and flexible than using passwords.  My question is whether JIRA server supports this too.

We have Python scripts and libraries that connect with other REST APIs using "HTTPBasic+token", so I'd like to use those libraries for connecting with JIRA instead of writing new libraries.

Radek Dostál
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 13, 2022

Oh, my bad then - wasn't familiar with "username:token" with Cloud.

 

On server I know that -u user:pwd represents Basic (because Server did not have any REST/API tokens until recently, Cloud is somewhat ahead in that regard).

Instead of the user parameter, a header can be used in the way I mentioned earlier -H 'Authorization: Basic <base64creds>' (again, using username:pwd).

And since I 8.14 personal access tokens (PAT) were added and are used as a header also, -H 'Authorization: Bearer <token>'.

 

Quick check around I don't see any username:token option for server either. I suppose I don't quite see the need for a username, when the token itself is enough - Jira knows that token belongs to the username so in a sense, providing the username would be redundant. I've used OAuth, basic, PAT, cookie, but I never came across any basic+token combination on Server, nor do I see any documentation page about it.

Then again, wrapping everything up, if you do have a token, then you don't need the username, Jira knows the account it belongs to.

Jeffrey Lemay May 13, 2022

-H 'Authorization: Bearer <token>'

That header represents Oauth token-based authentication.  I don't know if the other API services we connect to all support Oauth.  But I do know they all support HTTPBasic+token.  Azure DevOps is one of them.  JIRA cloud too.

https://docs.atlassian.com/software/jira/docs/api/REST/8.20.7/

According to that documentation, our version of JIRA server supports Oauth and HTTPBasic.  And I have proven to myself that tokens work with Oauth on our server instance.  I just haven't been able to get tokens to work with HTTPBasic.  I'm trying to figure out if the feature is not supported in Server, if my syntax is wrong, or if HTTPBasic+token needs to be enabled in the server config (which I don't have access to see).

Radek Dostál
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 16, 2022

I honestly don't follow what you are trying to chase here. You seem to be creating a non-existing problem by trying to combine 2 different authentication methods. PAT is not a password substitute, it's the entire header value all by it's own.

Whatever you're trying to solve should be that py library, it should support both basic and PAT.

Jeffrey Lemay May 17, 2022

I guess I don't see what's complicated...  Both Azure DevOps and Jira Cloud allow users to authenticate by replacing their password with thei API token string.  I want to understand if Jira Server supports the same functionality.

I know that there are other ways to authenticate with API tokens.  My preference is to keep our internal Python libraries consistent, and only switch to a different authentication mode for Jira Server if absolutely required.

Suggest an answer

Log in or Sign up to answer