It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How to authenticate to Jira REST API

Saranya Unnikumar Jun 06, 2018

I am using Jenkinsfile to update the Build result to one of the field using Curl command. 
Am using HTTP Basic auth. But, I need another method to authenticate to Jira Rest API other than Basic as it is very easy to Decode using base64.
Suggest me a method to authenticate to Jira server using curl command?

The curl command that I use is 

 sh """curl  --noproxy '*' -D- -H "Authorization: Basic YWRtaW46YWRtaW4=" -X PUT --data '{"fields":{"customfield_10314":{"value":"Development Completed"}}}' -H "Content-Type: application/json" https://localhost:8081/jira/rest/api/2/issue/${issue}"""

2 answers

1 accepted

1 vote
Answer accepted
Andrew Heinzer Atlassian Team Apr 05, 2019

Hi everyone,

Having reviewed this question, it appears that the question asked and the answer given don't exactly match up here. Saranya is asking about how to use a different authentication method other than Basic with curl. Moses' reply does provide ways to use OAuth to authenticate via REST, but this method does not utilize curl (and I can't find a way to use curl with OAuth).  As a result, I think that some people searching google that come across this issue find the answer confusing or misleading for their own use cases.

I wanted to add a more comprehensive and clarifying answer here, sorry if it's long-winded:

There are different methods for authenticating to the REST API in regards to Jira, but each platform has some slightly different authentication methods available to them and as such have different use cases. Platforms here refers to the difference between Server and Atlassian Cloud products. There are different kinds of tokens to refer to below.

 

For Jira Server

Jira Server does not have the same kind of API tokens that can be created for Atlassian Cloud products. There are tokens that can be created, but these are OAuth tokens. The use of OAuth tokens requires that you utilize a programming library in a language such as Java, perl, python, nodejs, etc in order to make these calls. If you're using OAuth, you can't use curl.  Examples of these libraries in different languages and source code can be found in https://bitbucket.org/atlassianlabs/atlassian-oauth-examples/src/master/
But if you're using curl, and you're using Jira Server, you can still utilize basic auth or cookie based auth for making REST calls.

Jira Server Developer blog's page on Security Overview https://developer.atlassian.com/server/jira/platform/security-overview/ explains the different authentication and authorization you can use with Jira Server.  From that page:

OAuth

OAuth uses request tokens generated from Jira to authenticate users. We recommend using OAuth when you integrate with Jira. It takes more effort to implement, but it is more flexible and secure compared to the other two authentication methods.

See OAuth, to learn how to implement a client that uses OAuth.

Basic authentication

Basic authentication uses a predefined set of user credentials to authenticate. We recommend that you don’t use basic authentication, except for tools like personal scripts or bots. It may be easier to implement, but it is much less secure.

See Basic authentication, to work through an example of calling Jira with basic authentication.

Cookie-based authentication

Jira uses cookie-based authentication in the browser. You can rely on this to call the REST API from the browser (for example, via JavaScript). However, we recommend you use OAuth or Basic authentication in most cases.

See Cookie-based authentication, to learn how to call Jira using cookies.

Security for apps

Jira Server apps run alongside the product code, so you don’t need to call the REST API. Instead, you call the Java API directly. However, there are additional steps to follow to make your app secure, such as using form token handling.

Form token handling

Form token handling is an additional authentication mechanism for apps that lets Jira validate the origin and intent of requests. This is used to provide another level of security against cross-site request forgery (XSRF).

See Form token handling, to work through how to implement form token handling in Jira.

 

 

For Jira Cloud,

It is possible you can create your own API token at https://id.atlassian.com These are only for Atlassian Cloud sites. These are not OAuth tokens. More details on the creation are in https://confluence.atlassian.com/cloud/api-tokens-938839638.html These tokens as part of Basic auth as described in https://developer.atlassian.com/server/jira/platform/basic-authentication

If you're using basic auth in Jira Cloud, then using a utility like curl can work here with an API token.

However if you're wanting to using OAuth (not the API token created from https://id.atlassian.com), you won't be able to use curl to authenticate. It's a detail that lots of users miss and I fear Atlassian has not sufficient documented just yet. In order to do the handshakes required for OAuth use, your REST calls are expected to utilize a programming library that Atlassian has provided. As such, curl can't parse what this library is doing. This handshake can be in any of various languages such as java, python, perl, ruby, nodejs, etc. You can find the source of this library and examples on how to use it in https://bitbucket.org/atlassianlabs/atlassian-oauth-examples/src/master/

 

Other ways to make REST calls in Jira Cloud
https://developer.atlassian.com/cloud/jira/platform/security-for-other-integrations/

I hope this helps to clarify some common misconceptions about the different methods of authenticating in REST for Jira Cloud and Jira Server.

Cheers,

Andy

1 vote
Moses Thomas Jun 06, 2018 • edited Jun 07, 2018

@Saranya UnnikumarI propose the

OAuth is an authentication protocol that allows a user (resource owner) to grant a third-party application (consumer/client) access to their information on another site (resource). JIRA uses 3-legged OAuth (3LO), which means that the user is involved in the authentication process by authorizing access to  your Jira data.

1. You need to configure application links (in coming) , that is third party application with your jira instance, see good article https://www.prodpad.com/blog/tech-tutorial-oauth-in-jira/ on how to configure application link for third party.

Also see how to generate public and private key,

https://confluence.atlassian.com/jirakb/how-to-generate-public-key-to-application-link-3rd-party-applications-913214098.html

 

2. You will need to generate Access token, (doing the OAuth dance) I suggest you use Python code to generate it , easier. https://bitbucket.org/atlassian_tutorial/atlassian-oauth-examples/src/3f0d22c5b1d8749fae6f05aa3556ca8ac3724b5a/python/?at=default

 

Once you are able to generate this access token if you succeed it will display a link to ( log in as this user Admin for example which you want to use to access Jira data,(tickets in Jira for example) then approve access to Jira using this user.

 3. Then you can use this user in you external application(code to access Jira, by adding private key parameter in python code for instance that accesses Jira data in  your Jira instance)

Best.

Don Dewar Dec 21, 2018 • edited

The method in the example requires a PEM key to the server. If I got a permanent access token from Jira how can that be used? I basically want to do what rest-oauth-client-1.0.one-jar.jar does but using python

Moses Thomas Dec 31, 2018

@Don DewarSee point 2 & 3 you have your answer there.

Don Dewar Dec 31, 2018

Thanks. I finally did figure that out but now get this traceback.

./app2.py
Traceback (most recent call last):
  File "./app2.py", line 11, in <module>
    r = s.get("https://********/jira/rest/api/2/issue/*****-4313")
  File "/Library/Python/2.7/site-packages/requests/sessions.py", line 521, in get
    return self.request('GET', url, **kwargs)
  File "/Library/Python/2.7/site-packages/requests/sessions.py", line 508, in request
    resp = self.send(prep, **send_kwargs)
  File "/Library/Python/2.7/site-packages/requests/sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "/Library/Python/2.7/site-packages/requests/adapters.py", line 440, in send
    timeout=timeout
  File "/Library/Python/2.7/site-packages/urllib3/connectionpool.py", line 601, in urlopen
    chunked=chunked)
  File "/Library/Python/2.7/site-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/Library/Python/2.7/site-packages/urllib3/connectionpool.py", line 850, in _validate_conn
    conn.connect()
  File "/Library/Python/2.7/site-packages/urllib3/connection.py", line 337, in connect
    cert = self.sock.getpeercert()
  File "/Library/Python/2.7/site-packages/urllib3/contrib/pyopenssl.py", line 348, in getpeercert
    'subjectAltName': get_subj_alt_name(x509)
  File "/Library/Python/2.7/site-packages/urllib3/contrib/pyopenssl.py", line 222, in get_subj_alt_name
    for name in ext.get_values_for_type(x509.DNSName)
  File "/Library/Python/2.7/site-packages/urllib3/contrib/pyopenssl.py", line 175, in _dnsname_to_stdlib
    name = idna_encode(name)
  File "/Library/Python/2.7/site-packages/urllib3/contrib/pyopenssl.py", line 173, in idna_encode
    return idna.encode(name)
  File "/Library/Python/2.7/site-packages/idna/core.py", line 355, in encode
    result.append(alabel(label))
  File "/Library/Python/2.7/site-packages/idna/core.py", line 265, in alabel
    raise IDNAError('The label {0} is not a valid A-label'.format(label))
idna.core.IDNAError: The label Bundle_***** is not a valid A-label

which appears to be a correct error given the IDNA name has an underscore in it. (note company specific names are obscured in the traceback with asterisks). I haven't been able to find a work around for this, but that is a python community issue rather than Jira.

Moses Thomas Dec 31, 2018 • edited Jan 01, 2019

@Don DewarI suspect that some  library is missing for  me it worked for me using  the code  which  i have provided  in the  link  above.  I suggest  you  install pycharm  and then run your code  with   pycharm  will  show you message on  what  is missing.  Then  once you  have run  the code  go  to  >settings  > project interpreter and then  click (+ )  button to  add missing  packages.

But  make  sure you  are doing the right thing,  following  the documentation  .

Suggest an answer

Log in or Sign up to answer
This widget could not be displayed.
This widget could not be displayed.
Community showcase
Published in Jira Software

Early Access: If you use Jenkins and Jira Software Cloud, you need to read this!

The Jira Software Cloud Team has been busy working on a simple, secure, and reliable way to integrate your build and deployment information from Jenkins with Jira Software Cloud. This means you don’t...

279 views 0 8
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you