1. Wombats Avatar Wombats
  2. Marketplace
  3. API Tokens for Jira
  4. Issues

API Tokens do not work when using Okta SSO provided by Okta

Issue #17 closed
Matt Zuba created an issue

We use Okta’s SSO package for Jira and when attempting to use API Tokens, authentication fails. Not sure if it’s actually related to using Okta or if something else is amiss.

Jira Core/Software/Service Desk: 8.9/8.9/4.9

Official response

Comments (13)

  1. Matt Zuba reporter

    I enabled trace logging for this plugin and I do see this error in the logs: /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] Invalid token for [MZuba(JIRAUSER10108)]. It's ok because it might be a password.

    I verified that the token I’m using verifies against the crypt-based hash in the database, so the token is indeed valid.

  3. Roma Bubyakin [Wombats Corp]

    Hello Matt,

    1. Thank you for reporting the ticket! I think that it’s really could be caused by custom auth process from Okta.

    Reproducing will be time-consuming, most likely I should be a Okta’s customer for that, however I will try.

    2. Seems that basic auth header was changed before token processing.

    Could you please try attached jira-tokens-1.1.5-for-matt.jar with TRACE enabled?

    • It has increased priority for the token processing

    • It writes to logs all request and session variables

      • revoke token right after testing just for security reason
      • send logs privately to info@wombatscorp.com

    Possible outputs:

    1. It works. Means increasing the priority helped.

    2. It showed more information in logs for further investigation.

      1. Most valuable if your token is it the same or not.
      2. Secondary, Session/Request variables that could give a hint how to solve the issue.

    Regards, Roman

  5. Matt Zuba reporter

    Thanks for looking into this. Unfortunately the change in priority didn’t seem to help. I’ve emailed the relevant contents of atlassian-jira.log to your info email address.

  7. Matt Zuba

    It looks like the problem stems from a case-sensitivity issue. My username in the Jira database is MZuba (courtesy of the AD → Okta → Jira path), but I was trying the API call with mzuba. It looks like the plugin properly finds my user, but isn’t properly able to compare against the tokens. When I try to auth with MZuba, it works. Here is the log showing both calls, first with mzuba, then with MZuba.

    2020-06-24 09:01:15,195-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] Basic auth
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] URL: /rest/api/2/myself
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] Request Headers: true
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] x-forwarded-for:1.2.3.4
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] x-forwarded-proto:https
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] x-forwarded-port:443
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] host:my.host.name
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] x-amzn-trace-id:Root=1-5ef378cb-551bebcb810ff4cc72003f84
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] accept:*/*
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] user-agent:HTTPie/1.0.2
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] accept-encoding:gzip, deflate
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] authorization:Basic bXp1YmE6dmFldVM0UzVsYUhoMDhQbUZ1dWhuSTZuUW8zU1JzWDBCVVc=
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] Request Parameters: false
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] Session Attributes: false
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] Decoded auth header: mzuba:vaeuS4S5laHh08PmFuuhnI6nQo3SRsX0BUW
2020-06-24 09:01:15,196-0700 http-nio-8080-exec-11 DEBUG anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] User:MZuba(JIRAUSER10108)
2020-06-24 09:01:15,299-0700 http-nio-8080-exec-11 TRACE anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.persistance.TokenDAO] Candidate [vaeuS4S5laHh08PmFuuhnI6nQo3SRsX0BUW]. Hashed candidate [$2a$10$TbMrwlPven75tkbt3J/NzeP1rJlZ1NDNglYLC27ItP5sGldpbn5TK]. Checking against [0] user's tokens
2020-06-24 09:01:15,299-0700 http-nio-8080-exec-11 DEBUG anonymous 541x1072x1 - 1.2.3.4,10.3.8.197 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] Invalid token for [MZuba(JIRAUSER10108)]. It's ok because it might be a password.

    2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] Basic auth
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] URL: /rest/api/2/myself
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] Request Headers: true
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] x-forwarded-for:1.2.3.4
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] x-forwarded-proto:https
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] x-forwarded-port:443
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] host:my.host.name
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] x-amzn-trace-id:Root=1-5ef378ce-34c4b5ec51feb8c24ca60540
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] user-agent:HTTPie/1.0.2
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] accept-encoding:gzip, deflate
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] accept:*/*
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] [header] authorization:Basic TVp1YmE6dmFldVM0UzVsYUhoMDhQbUZ1dWhuSTZuUW8zU1JzWDBCVVc=
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] Request Parameters: false
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] Session Attributes: false
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] Decoded auth header: MZuba:vaeuS4S5laHh08PmFuuhnI6nQo3SRsX0BUW
2020-06-24 09:01:18,574-0700 http-nio-8080-exec-13 DEBUG anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] User:MZuba(JIRAUSER10108)
2020-06-24 09:01:18,677-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.persistance.TokenDAO] Candidate [vaeuS4S5laHh08PmFuuhnI6nQo3SRsX0BUW]. Hashed candidate [$2a$10$Rx8s6WtDaCC6Kq494mem9OXNszz.W1lPy9..osxNdqPdVzI.rDGgS]. Checking against [1] user's tokens
2020-06-24 09:01:18,778-0700 http-nio-8080-exec-13 TRACE anonymous 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.persistance.TokenDAO] [Test Token][asp_nU507aJ9xNTu3Nz9][$2a$10$Kx.gW/PmiXvJPeOaQT9Xru8wBXEGGsL9w1nEoPQHgK1WmtAQHBk4m] check passed: true
2020-06-24 09:01:18,815-0700 http-nio-8080-exec-13 INFO MZuba 541x1073x1 - 1.2.3.4,10.3.8.96 /rest/api/2/myself [c.w.j.tokens.filters.TokenFilter] MZuba(JIRAUSER10108) has been authenticated via API Token (asp_nU507aJ9xNTu3Nz9)

  10. Matt Zuba

    Hey Roman,

    Looks like that fixes it - I tried all different cases of usernames and it works as expected now.

    Thanks!

  14. Log in to comment
Assignee
Type
bug
Priority
major
Status
closed
Votes
0
Watchers
1