REST + SSO + Atlassian Account + JIRA

My understanding from this question about HTTP Basic authentication not working anymore for jira.atlassian.com is that the workflow should be something like the following:

  1. Post username/password to https://id.atlassian.com/id/rest/login
  2. Retrieve the __ATL_TOKEN cookie sent in the response to a successful login above
  3. Use the provided __ATL_TOKEN in subsequent requests to https://myjira.atlassian.net

If this is correct, then perhaps this no longer works or there is a PEBKAC.

If this workflow is not correct, what should I be doing to ensure that I can use Atlassian Accounts through REST for JIRA?

Thanks in advance,

Sohail

1 answer

1 accepted

1 vote

Are you just trying to use basic auth to log in to your Cloud JIRA instance (for example https://{your-instance-name}.atlassian.net)?

Or are you trying to log in to https://jira.atlassian.com (Atlassian's public-facing issue tracker) specifically?

Hi Sam,

Thanks for looking. I'm trying to use the REST API on my instance.

I am not using any "auth" on the JIRA side, but trying to figure out which cookies need to be set and where to get them from. What I have pieced together based on my experimentation with cURL and looking at cookies in the browser is that I have to get the following cookies:

  • JSESSIONID
  • __ATL_TOKEN
  • studio.crowd.tokenkey

I can get the first two, but not the last. I'm not sure how that is set, or where it comes from.

Does a cURL using basic auth not work for you? This works OK for me:

curl -D- -u user\@example.com:password -X GET -H "Content-Type: application/json" https://yourjirainstance.atlassian.net/rest/api/2/issue/createmeta

Note I use my Atlassian Account login details (so email address and password, instead of username and password).

Based on this example: https://developer.atlassian.com/cloud/jira/platform/jira-rest-api-basic-authentication/

To do cookie-based auth, I log in over REST using POST /rest/auth/1/session and use the resulting session cookie in subsequent requests along the lines of the example here.

Edit: updated links to point to the newer versions of the cloud REST API docs. 

This does not work for me. I believe the reason is due to the recent upgrade to Atlassian accounts (SSO).

Sam Hall Community Champion Apr 25, 2017

Can you post an example of the cURL request you are doing? With generic password and URL, of course : )

1)

curl -i -X POST -H "Content-Type: application/json" https://id.atlassian.com/id/rest/login --data '{"username":"me@domain.com","password":"password"}'

-> results in __ATL_TOKEN cookie

2) 

curl -k https://domain.atlassian.net --cookie "__ATL_TOKEN=<the value>; Version=1; Domain=.atlassian.com; Path=/; HttpOnly; Secure"

-> results in JSESSIONID

3) 

curl -k https://domain.atlassian.net/rest/auth/1/session --cookie "__ATL_TOKEN=..." --cookie "JSESSIONID=..."

-> 401

Note that the second step doesn't really seem to do anything.

I think you just need to do this:

1) curl request to your cloud instance:

curl -i -H "Content-Type: application/json" -X POST -d '{"username":"username","password":"password"}' https://yourdomain.atlassian.net/rest/auth/1/session

 (note this request takes username, not email address)

 -> results in a JSON response that contains something like:

"session":{"name":"somename","value":"6E348...."}

The session name somename might be one of 'studio.crowd.tokenkey' OR  'JSESSIONID' OR 'cloud.session.token'

2) curl request using the session name and the token value from the JSON response in step 1.

So, if session name was studio.crowd.tokenkey, then use:

curl -v --cookie "studio.crowd.tokenkey=6E348...." https://yourdomain.atlassian.net/rest/auth/1/session

Or if session name was cloud.session.token, then use:

curl -v --cookie "cloud.session.token=6E348...." https://yourdomain.atlassian.net/rest/auth/1/session

This works for me. Let me know if it solves or if you have further issues and I'll try to help again.

I get the following after step 1:

{"errorMessages":["Login failed"],"errors":{}}

I get this whether it's my username, or my email.

I only get the error if I am using incorrect username/password.

Does the password you are using defintely log you in to https://{your-instance-name}.atlassian.net?

It sounds like you must be tying to log in/out through the browser in order to look at the cookies, but I thought I should check.

If you haven't tried already, go to https://id.atlassian.com and logout. Then go https://{your-instance-name}.atlassian.net and try to login.

Atlassian invalidated some Atlassian Account passwords recently (read this security notice for more info). Is there a chance your account was affected and you need to reset your password?

Perhaps try change your password via: https://id.atlassian.com/manage/change-password in case that sorts things out.

Assuming you are an admin on the instance, go to https://{your-instance-name}.atlassian.net/admin/users and double check you are using the right username.

By co-incidence, there have been many login-related problems with Atlassian services today. Atlassian are still monitoring the problem, so perhaps there is a chance you are still affected. You could request support from Atlassian via https://support.atlassian.com/contact/ 

Other than that, I'm not sure what else I could be missing. I'm not aware of anything in the Atlassian Account migration that changes the login method. I use my Atlassian Account to log in to several different instances and have no problems with the REST API - using either basic auth or getting a session token using /rest/auth/1/session and using cookie-based-auth.

You don't use SAML SSO to log in, do you?

Atlassian recently converted my account to an "Atlassian Account" https://confluence.atlassian.com/cloud/atlassian-account-for-users-873871199.html

My understanding is that I am technically using SSO: The Atlassian edition.

https://jira.atlassian.com/browse/ID-6230

I believe this is the underlying issue: https://confluence.atlassian.com/bitbucket/upgrade-to-atlassian-account-829056056.html

 

Well this is odd... I changed my password, then tried to login through REST using just my username (not email) and it worked.

Great! Glad it worked in the end.

Maybe the change ironed out some problem hanging over from today's login issues.

Do both methods now work for you?

Basic Auth with email + password (In this request, I use '\' to escape the @ sign):

curl -D- -u yourname\@example.com:password -X GET -H "Content-Type: application/json" https://yourdomain.atlassian.net/rest/api/2/issue/createmeta

Cookie-based with username + password:

curl -i -H "Content-Type: application/json" -X POST -d '{"username":"username","password":"password"}' https://yourdomain.atlassian.net/rest/auth/1/session

 

p.s. Another thing to check would have been if you had tiggered a CAPTCHA which was preventing login:

From: https://developer.atlassian.com/cloud/jira/platform/jira-rest-api-basic-authentication/#advanced-topics

"CAPTCHA is ‘triggered’ after several consecutive failed log in attempts, after which the user is required to interpret a distorted picture of a word and type that word into a text field with each subsequent log in attempt. If CAPTCHA has been triggered, you cannot use JIRA’s REST API to authenticate with the JIRA site.

You can check this in the error response from JIRA – If there is an X-Seraph-LoginReasonheader with a a value of AUTHENTICATION_DENIED, this means the application rejected the login without even checking the password. This is the most common indication that JIRA’s CAPTCHA feature has been triggered."

I guess you must be right. Both methods work... Though, according to the documentation, the second one shouldn't :-/

Edit: I did check for a CAPTCHA. This isn't my first Atlassian REST login rodeo ;-)

Sam Hall Community Champion Apr 25, 2017

Which docs say the 2nd one shouldn't?

I saw it here: https://confluence.atlassian.com/cloud/the-upgrade-to-atlassian-account-873871204.html#TheupgradetoAtlassianaccount-RESTAPIs

> Before your users' accounts upgrade to Atlassian account, REST APIs that accept user credentials expect a username and password. After the upgrade, REST APIs that accept Atlassian account user credentials expect a verified email address instead of a username.

 

Sam Hall Community Champion Apr 25, 2017

Oh. I'd seen that one, but I had somehow interpreted that as only applying when doing basic auth, but not when logging in and getting a cookie using /rest/auth/1/session.

But now you point it out, it doesn't make any distinction like that at all!

I guess I got it in my mind since the Cloud REST API spec and developer docs examples all show username rather than email in the example JSON data for posting to /rest/auth/1/session.

 

Eh, behind big companies are still people. I guess I should file a bug but hopefully this discussion has enough keywords to show up in web searches.

Thanks for your help Sam!

I too can no longer authenticate to our cloud instance using basic auth.  We are using Google/G Suite authentication and Atlassian have mandated enabling the Atlassian Account support this week.  We've enabled that and now can't use basic authentication to authenticate to the REST API.

We were previously using email/password for the instance.  That stopped working, but the email/password from id.atlassian.com is also not working.

Also just done basic test with curl ... no luck.

I've raised a support request, but if anyone has any ideas I'd love to hear them.

Hi Matt - it's probably worth asking a new question here in the community about that. 

Mention Google/G Suite in the question title and it will make it much clearer to people what you need help with and avoid confusion with Sohail's question here, which is not to do with Google/G Suite authentication.

People are more likely to find your question and help if it is posted as a new unanswered question, rather than in a comment on this thread, which is marked as 'solved'.

Anyway, I'm guessing you already tried all the stuff suggested above?

Did you also have look at this old question which might help with some things to try?:

https://community.atlassian.com/t5/JIRA-questions/Does-basic-HTTP-Authentication-work-for-Google-Apps-bound-JIRA/qaq-p/405032

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Thursday in Jira

5 ways you can make the most of Jira Software and Bitbucket Cloud

As part of the Bitbucket product team I'm always interested in better understanding what kind of impact the use of our tools have on the way you work. In a recent study we conducted of software devel...

80 views 0 5
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you