Hi all,
I'm having an issue with permissions using the application link between Jira and Confluence. Bidirectional connection seems to be working fine. I'm able to load issues using Jira Macro on Confluence site, and I'm able to search Confluence knowledge base when searching in Jira's Service Desk portal.
According to documentation it should be like that "OAuth authentication redirects a user to log in to the remote application, after which tokens generated on their behalf are used to authorize requests made from the local application. The remote application handling the request uses the access permissions of the account with which the user logged in on that remote application."
My problem arises when I'm not logged in Confluence as a user (I'm an Anonymous user) and I'm trying to load Jira's issue macro. I'm getting an error "Jira project doesn't exist or you don't have permission to view it. " - this is working when I'll configure Anonymous access in Jira's project.
Second problem is when trying to add a new page from the template using Jira's API call. Again, work when Confluence's space is set with anonymous can add a page permission. Otherwise I'm getting:
"message": "Could not create content with type page", "reason": "Forbidden"
My question then is what I'm missing here, when OAuth is granted with my use permissions and the system should handle requests on my user behalf. But it is actually using "anonymous" user privileges.
I can see Oauth tokens in my user profile on both ends.
Hi all, I have found my issue. We are using Apache2 with simple AUTH (htaccess) as proxy server. To make this working with Tomcat our configuration contain RequestHeader unset "Authorization". Unfortunately this will remove any authorization header from client, so Jira's token.
I followed this manual
https://confluence.atlassian.com/kb/how-to-create-an-unproxied-application-link-719095740.html
With one difference - I created second Apache2 proxy on different port without simple auth configuration. This port is only allowed from Jira's IP address and has direct link to Confluence.
It works now.
(y)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Marian Rychtecky ,
Please check if you are using OAuth with Impersonation on the Application Link page. If yes, please change it to OAuth and try again.
I hope that this helps.
Thanks,
Moga
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @mogavenasan ,
first of all, thank you for your reply. I tried both.
OAuth - configured and authorized on behalf of the user with admin account on both sides. According documentation after authentication, this link should use for authorization same user who created a link and authenticated the OAuth token. However without "public" view on Confluence space I'm getting 404 - Forbidden for all requests, and vice versa - in Confluence I cannot load Jira's issues using default Jira macro, unless these issues are publicly visible.
OAuth with Impersonation - configured and same username on both sides configured, again without "public" view on Confluence space I'm getting 404 - Forbidden for all requests, same as described in previous paragraph.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Not exactly sure what is going on with your configuration, usually OAuth with Impersonation should do the trick.
You might want to check if the JIRA application links core plugins were enabled properly as per Outgoing authentication shows 404 error message via Application Links configuration.
Do you have any Reverse Proxy between Jira and Confluence? There might be something here that removing some part of the request that is in charge of the authentication.
Thanks,
Moga
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.