OAuth token is being sent using Authorization Basic

[webJose]

Describe the issue I ran the Setup Credentials command. I provided the base URL, then I provided my full e-mail address to go through OAuth, and finally, I provided a Personal Access Token I generated in Jira myself. At this point, the plug-in tries to query https://myjiradomain.com/rest/api/2/status, but it is doing it by sending the header "authorization" with "Basic". Basic authentication is not supported by my Jira server, as seen in the HTTP header www-authenticate in the 401 response I gathered from the console output for the plug-in.

To Reproduce

Unsure if I can give you any more data. Do ask, if you need to know.

Expected behavior

I suppose that, because using Bearer works (see at the bottom of the Logs section), that the expected behavior be HTTP requests using the Bearer scheme as opposed to the Basic scheme.

Log

{
    "headers": {
        "connection": "close",
        "content-security-policy": "frame-ancestors 'self'",
        "content-type": "text/html;charset=UTF-8",
        "date": "Fri, 05 Jan 2024 05:12:54 GMT",
        "referrer-policy": "strict-origin-when-cross-origin",
        "server-timing": "dtRpid;desc=\"-1357869121\", dtSInfo;desc=\"0\"",
        "strict-transport-security": "max-age=31536000",
        "transfer-encoding": "chunked",
        "www-authenticate": "OAuth realm=\"https%3A%2F%2Fmyjiradomain.com\"",
        "x-anodeid": "orsjdcdr05",
        "x-arequestid": "1272x3385590x5",
        "x-content-type-options": "nosniff",
        "x-frame-options": "SAMEORIGIN",
        "x-oneagent-js-injection": "true",
        "x-seraph-loginreason": "AUTHENTICATED_FAILED",
        "x-xss-protection": "1; mode=block"
    },
    "request": {
        "headers": {
            "accept": "application/json",
            "authorization": "Basic <base64 data redacted>"
        },
        "method": "GET",
        "uri": {
            "auth": null,
            "hash": null,
            "host": "myjiradomain.com",
            "hostname": "myjiradomain.com",
            "href": "https://myjiradomain.com/rest/api/2/status",
            "path": "/rest/api/2/status",
            "pathname": "/rest/api/2/status",
            "port": 443,
            "protocol": "https:",
            "query": null,
            "search": null,
            "slashes": true
        }
    },
    "statusCode": 401
}

NOTE: I redacted the actual response. I deleted the base64 data in the request header authorization, the real Jira domain, the response body (was HTML and very long) and the cookies.

If I do this HTTP call with Thunder Client in VS Code using Authorization set to Bearer <personal access token>, then it works.

[gioboa]

Hi @webJose I checked online this Jira 401 problem and I found this solution

---

Go here: https://id.atlassian.com/manage/api-tokens and create an API token. (The link is for JIRA Cloud. Go to your own instance if using DataCenter) To connect the Plugin, use your email address as the username, and the token value as the password.

---

Let me know if it works for you.

[webJose]

Ok, but that is in Atlassian's Jira. I'm not using Atlassian's Jira, but a corporate deployment of Jira. My user interface is completely different than Atlassian's and I only see "Personal Access Token" under my account. No "API Tokens" anywhere.

Still, as I mention, the HTTP request is possible if sent as a bearer token. Anything we can do about using the Personal Access Token as a bearer token?

If it helps, this is a screenshot of its About page:

[gioboa]

The best way to solve the problem is debug the plugin in your environment.

• clone the repo
• install deps
• press F5 From VsCode (first instance)
• another instance of VsCode will be launched (second instance).
• debug the second instance by the first one, breakpoint are available.

eg.

[WeeGee77]

I have no clue about TS or JS, but from the docs: https://jira.readthedocs.io/_modules/jira/client.html#JIRA

    # Setup the Auth last,
    # so that if any handlers take a copy of the session obj it will be ready
    if oauth:
        self._create_oauth_session(oauth)
    elif basic_auth:
        self._create_http_basic_session(*basic_auth)

and your code:

    this.jiraInstance = new jiraClient({
      host,
      port,
      protocol,
      basic_auth: configuration.credentials,
      timeout: configuration.get(CONFIG.REQUESTS_TIMEOUT) * 1000 * 60,
      strictSSL: strictSSL !== '' ? strictSSL === 'true' : undefined,
    });

... I wonder if OAuth is implemented in this plugin?

[gioboa]

Yep, it's working I describe the flow here

[WeeGee77]

I did that, but like webJose I use a private corporate Jira instance. Since you wrote that 5 years ago, I wonder if something was changed since then, maybe back then there was no explicit differentiation in the Jira component?

if oauth: self._create_oauth_session(oauth) elif basic_auth: self._create_http_basic_session(*basic_auth)

But of course I'm just guessing, I don't fully understand all the TS code.

[gioboa]

🤔 yep, maybe something changed. I'm wondering how can I debug your local instance.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. Remove stale label or comment or this will be closed in 5 days. Thank you for your contributions.

[WeeGee77]

How to open it again? It's not solved... @gioboa I don't know how you could debug my local instance ... I can only connect to it from inside my company's network, and all remote access tools like TeamViewer with external access are banned for security reasons. Maybe via a chat which I can open on a private device, where you tell me what to do and I post you the results.

[gioboa]

Can you debug the plugin during your working hours?

[WeeGee77]

yes, that's possible as long as I have no meetings. We could use Google Meet which allows screen sharing.

[gioboa]

Yep, you can reach me here