JIRA Rest API basic authentication always returns 401 unauthorized

Karthik Rajendran April 25, 2019

When trying to access JIRA Issues via JIRA REST API V2 from Salesforce always returns 401 error page for Basic authentication. But this basic authentication is working from some other REST client test tools. I just created a trial version JIRA site to test this. Can someone help me what could be the issue.

 

Thanks.

2 answers

0 votes
Kamran786 July 8, 2020

Hi Team,

I have below details with me:-

1.API Token

2.Correct URI

3.Correct User Name

4.Rest API :- rest/api/3/project(to see all the projects)

Used Authorization as Basic Auth and username as email address and password as the API token key.

I hit this api via post man and i am getting error as :-

Basic authentication with passwords is deprecated. For more information, see: https://confluence.atlassian.com/cloud/deprecation-of-basic-authentication-with-passwords-for-jira-and-confluence-apis-972355348.html

 

Please suggest what am i missing here.

 

Regards,

kamran

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 13, 2020

Don't use the username/password fields here directly.  At one point in the past I know that you could use the API Token just like a password, but the way you're using that token now is just like a password.  Jira Cloud REST API doesn't support using any password type fields here.

Instead follow the steps in Basic auth for REST APIs. It is going to have to build a string of

EmailAddress:ApiToken

And then base64 encode that string.  Once you have that encoded string, the suggestion is to use an authorization header and pass that encoded string in that as a means to include authentication in the request.  This method works.

But you can't just substitute an API token for the previous way passwords worked here.

0 votes
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 1, 2019

Hi Karthik,

I understand that you're seeing only 401 HTTP error codes return from Jira Cloud REST API.   Most of the REST API endpoints require authentication to work properly.  In cases where the authentication is inadequate or incorrect, you can see these 401 error codes.

In the specific case of Jira Cloud and using the Basic Authentication method, Atlassian has recently deprecated the ability to use plaintext passwords with basic auth.  You can read the Deprecation notice for more details.

I'm afraid I don't know the exact details of how this salesforce integration is setup to work in your instance.  If it just has a username and password fields to fill out, I would expect this to fail with Jira Cloud moving forward.  There are new details of how you can still use basic auth with Jira Cloud, but there are different headers that have to be passed when making the call, you need to generate a REST API token, and then you need to build a string and encode that string as described in the Basic Authentication documentation.

Are you using a plugin in Jira in order to do this REST API call?  Or is this an integration directly from the Salesforce app/site?  Just curious so we can best guide you on ways to work past this.

Andy

Hardik Jethava June 13, 2019

Hi,

 

If our system is using Basic authentication to connect to Jira REST API, is there any workaround that we can still make it work for certain period of time or now there is no way to make basic authentication with plain text work?

 

Regards,

Hardik

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 17, 2019

@Hardik Jethava Basic auth is still available.  But you can no longer use a plaintext password with Atlassian Cloud REST API authentication attempts.

The work-around using basic auth is to first create an API token, then follow the steps in Basic auth for REST APIs.  It explains that there are some different steps you would need to take in order to make this work with an API token vs using a password.   The method I prefer when doing this is listed there as:

Supplying basic auth headers

If you need to, you may construct and send basic auth headers yourself. To do this you need to perform the following steps:

  1. Generate an API token for Jira using your Atlassian Account: https://id.atlassian.com/manage/api-tokens.
  2. Build a string of the form useremail:api_token.
  3. BASE64 encode the string.
  4. Supply an Authorization header with content Basic followed by the encoded string. For example, the string fred:fred encodes to ZnJlZDpmcmVk in base64, so you would make the request as follows:
curl -D- \
-X GET \
-H "Authorization: Basic ZnJlZDpmcmVk" \
-H "Content-Type: application/json" \

I hope this helps.

Andy

trupti bhatt June 19, 2019

Hello Andy,

I have created the api as mentioned in the steps then encoded it using base64 . Passed emailid:apikey.

 

Authorization : Basic <generated key>

Content-Type : application/json 

 

Then also it is not working. Am i missing any steps

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 20, 2019

@trupti bhatt What steps exactly are you taking in order to base64 encode that email:APIToken string?   I recall another user had a similar problem with the encoding process itself.  

It might help to check out my other thread about this in https://community.atlassian.com/t5/Jira-questions/Basic-authentication-failed-but-email-address-API-token-succeed/qaq-p/990556#M319164

From that thread:

Check out this comment https://superuser.com/questions/120796/how-to-encode-base64-via-command-line/133253#133253

From that thread:

Openssl can be used more succinctly:

echo -n 'input' | openssl base64

[ echo -n -> must be used, or encoding will be done including new line character ]

I tried this in my own command line.  I noticed that when I use the steps you followed (and when I excluded the '-n' parameter from this method), I got an additional 4 characters on the end of my encoded string.  However when I used the command line statement of:

echo -n 'user@example.com:apitokenstring' | openssl base64

The encoded string was 4 characters shorter than with your steps or without the -n.  It looks like the carriage return is getting added to your string and in turn throwing off the string.

 

I hope that helps

Andy

Bruce Reed July 9, 2019

Has anyone confirmed what the basic auth issue is? I can back up Karthik's findings. We have scriptrunner scripts running on JIRA Server that hit Jira Cloud API and were working a few months ago, but have started failing with 401 auth errors. We are properly constructing the auth string and the code has not changed. It's seems something's changed on the Jira Cloud end.

Michael Møldrup July 17, 2019

After upgrading my application to TLS12 and using the API-token instead of password, everything works, with basic authentication.

 

See this, regarding TLS:

https://confluence.atlassian.com/cloud/blog/2019/07/atlassian-cloud-changes-jul-1-to-jul-8-2019

Like Andy Heinzer likes this

Suggest an answer

Log in or Sign up to answer