It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Where can I find documentation to the Captcha challenge link in "X-Authentication-Denied-Reason" ?

I want to make proper response to a REST api call that gets denied because the user has too many failed login attempts and needs to solve a Captcha challenge.

By looking at the response I found out that Jira returns the header "X-Authentication-Denied-Reason" with a link to the login-page where the user needs to enter a Captcha.

Is there any official documentation on this? I only found this old blog post : 
https://www.atlassian.com/blog/archives/jira_search_with_rest

1 answer

0 votes

Hi @Julius Böcker ,

Welcome to the community.  When it comes to captcha the setting is a security measure so it's designed to not be able to be bypassed if enabled and triggered.  Also, captcha can either be enabled or disabled so there is not a selective option for api accounts specifically (all or nothing setting).  So, if enabled, it requires the manual captcha confirmation to re-enable login for the account via the UI.

There is a discussion in the following post of alternative approaches such as IP tables to rate limit calls rather than using captcha, and suggesting the third party application fail2ban that might be a good approach to take in lieu of the captcha settings, but I recomend checking out the suggestions to see if any would work out in your case:

Regards,
Earl

Hi @Earl McCutcheon 

Thanks for the reply.

This is helpful if you want to configure your Jira for other Captcha solutions. But I need a solution where no extra Jira administration is needed.

To specify what I am trying to do:
An external software makes a REST Api call to Jira. The user entered his password incorrectly too many times. The error he gets is a simple "failed login".
He might not know that he needs to enter a Captcha and thinks something else is wrong. Only after he opens Jira in the browser, he will be informed about it.

The goal is not to bypass the Captcha, but to inform the user and send him a link to Jira where he can enter his Captcha.

This is theoretically possible with the information from the header in "X-Authentication-Denied-Reason". But there is no official documentation, so it wouldn't be save to implement it. 

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you