issue links blocked by duo integration?

Platform Operations September 4, 2015

We have a JIRA instance and a confluence instance, both using independent Duo Checks for 2-factor authentication. When we try to enable a issue link from JIRA to a Confluence page (using Confluence Link) is JIRA version 6.4.9, we get the following error

java.lang.IllegalArgumentException: Illegal character in query at index 101: https://confluence.webmd.net/https://confluence.webmd.net/plugins/servlet/duologin?duo.request.key=TX|U1NvbmtlcnxESTE4RlQzRFJYRTFWMkdSMktOU3wxNDQxMzgzMjE0|9387500fe7447467720239d1a32206a4f214f6a3:APP|U1NvbmtlcnxESTE4RlQzRFJYRTFWMkdSMktOU3wxNDQxMzg2NTE0|3d8a1023d6ea1b1372448f66781a6cd0be6e4e5f&duo.host.key=api-8f1b888a.duosecurity.com&duo.originalurl.key=%2Fdisplay%2FCMSOP%2FWebMD%2BConsumer%2BD7%2BUpgrade%3Fxoauth_requestor_id%3DSSonker
java.lang.IllegalArgumentException: Illegal character in query at index 101: https://confluence.webmd.net/https://confluence.webmd.net/plugins/servlet/duologin?duo.request.key=TX|U1NvbmtlcnxESTE4RlQzRFJYRTFWMkdSMktOU3wxNDQxMzgzMjE0|9387500fe7447467720239d1a32206a4f214f6a3:APP|U1NvbmtlcnxESTE4RlQzRFJYRTFWMkdSMktOU3wxNDQxMzg2NTE0|3d8a1023d6ea1b1372448f66781a6cd0be6e4e5f&duo.host.key=api-8f1b888a.duosecurity.com&duo.originalurl.key=%2Fdisplay%2FCMSOP%2FWebMD%2BConsumer%2BD7%2BUpgrade%3Fxoauth_requestor_id

If we set the same as a Web Link, there is no error. Has anybody encountered this or tried to use Issue links with duo enabled? Any insights on this are greatly appreciated. Thanks

4 answers

Jason Miser March 13, 2019

Info from article, in case it gets moved:

If Duo is enabled, you may experience issues after creating an “application link” between Confluence and JIRA instances. Duo prevents successful API calls between the applications.

Duo MFA, Duo Access, and Duo Beyond plan customers who install Duo on both JIRA and Confluence can create a custom Duo policy shared between the JIRA and Confluence applications enabling Remembered Devices for all protected web applications. When users log into the first protected system (for instance, JIRA) and check the "Remember me..." box in the Duo Prompt, the second protected system (Confluence) sees the user has already authenticated with Duo.

For customers who do not want to use policy, or who installed Duo on only one of their JIRA/Confluence systems, the following solution works for both OAuth Authentication and Trusted Applications (not recommended) methods:

After installing Duo you can list the endpoints you do not want Duo to protect under the "duoauth" filter in web.xml. If you installed Duo on both JIRA and Confluence, you would edit the web.xml files on both servers. This bypasses Duo for all listed endpoints.

The additional XML to be added (and modified as needed) is the final section beginning with <param-name>unprotected.dirs</param-name> in the following example:

<filter>
<filter-name>duoauth</filter-name>
<filter-class>com.duosecurity.seraph.filter.DuoAuthFilter</filter-class>
<init-param>
<param-name>ikey</param-name>
<param-value>DIXXXXXXXXXXXXXXXXXX</param-value>
</init-param>
<init-param>
<param-name>skey</param-name>
<param-value>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</param-value>
</init-param>
<init-param>
<param-name>akey</param-name>
<param-value>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</param-value>
</init-param>
<init-param>
<param-name>host</param-name>
<param-value>api-XXXXXXXX.duosecurity.com</param-value>
</init-param>
<init-param>
<param-name>unprotected.dirs</param-name>
<param-value>/plugins/servlet/oauth/access-token /plugins/servlet/oauth/request-token /plugins/servlet/oauth/consumer-info /plugins/servlet/streams /plugins/servlet/applinks/whoami /sr/jira.issueviews:searchrequest /secure/RunPortlet /rest /rpc/soap /download/resources/com.duosecurity.jira.plugins.duo-twofactor:resources/ /download/resources/com.duosecurity.confluence.plugins.duo-twofactor:resources/ /rest/gadget/1.0/login /rpc/xmlrpc
</param-value>
</init-param>
</filter>

 Again, any paths added to unprotected.dirs bypass Duo authentication. If someone is able to access these paths directly, outside of an application link, they do so without two-factor protection.

0 votes
daniel_hedberg November 24, 2016

Anyone have an answer for this?

0 votes
Salman Butt October 27, 2016

Same here with JIRA and Jitbit 

0 votes
Luuk van den Broek January 27, 2016

We are encountering the same is issue with JIRA and Bamboo integration. 

Suggest an answer

Log in or Sign up to answer