Jira tasks from Confluence are not visible after directory change

We changed accounts in jira and then they migrated to confluence

I looked atlassian-confluence.log, but I didn't find any mention of the problem there.  I didn't even find a mention of the user at the time when he had an error

Thanks, this narrows things down a little bit. So as far as I know this should mean that Confluence keeps 'oauth' tokens in it's database for each user. My suspicion is that the tokens are now stale because they are - for the lack of better words - using "user_old" Jira counterparts.

We changed accounts in jira and then they migrated to confluence

Could you elaborate what this means?

Here's my theory, previously you would have username "bob" in Confluence, with his "bob" username in Jira.

Bob logs into Confluence for the first time, and then sees a macro from Jira with "Authorize" prompt.

Bob clicks it, logs into Jira, thus Confluence stores a token for Bob.

This token will be used to fetch Jira data under the account Bob logged into Jira with.

Later, Jira username "bob" was changed to "bob_old" - this technically did not invalidate the token in Confluence, rather, Confluence is still trying to use this token, but Jira is (rightfully so) saying "sorry but you no longer have access to this resource, according to your account bob_old".

And there we are getting to the "but hey, same username!?", well, I would assume the tokens are stored on a "userkey" basis (and I mean, userkey is basically the same as account id as far as uniqueness goes). So even though you created the same username "bob", it's unique userkey is different. They are entirely different user accounts to Jira after all.

Does this sound like this could be the case so far? Because if so, then I think you would need to manually remove all OAuth tokens from Confluence DB (there is an sql query to delete them), and then each user would have to authorize their AppLink again to re-create the OAuth token. Only this time, it would use their "new" Jira accounts.

This of course is not ideal since you would want to shutdown, backup, delete, start, and then the users would be inconvenienced to authorize the app link.

However, in the case that you have also switched Confluence user directory to ldap, and you now have exactly the same user directory, thus exactly the same userbase, then you might be able to switch to OAuth with Impersonation - which should, in theory, not require the users to authorize the AppLink connection - the macros should work for them, provided they have the same username in both Confluence and Jira.

I'm also curious right now if there is a way to confirm the OAuth token theory on a local scale (e.g. just 1 user) before deciding to do the big bang. There must be a way to link the token back to the Confluence user, so you should be able to find just the one token for e.g. your user, try to delete it, and then see if Confluence asks you to re-authorize and if things will work.

The sad part is I don't have a single instance which doesn't use OAuth with Impersonation already (have been around impersonation for years now..), so I can't test this or look around the db myself, or try to simulate your situation to confirm my idea.

Could you elaborate what this means?

Maybe I wrote incorrectly, but I wanted to say that we only worked with Jira users

Yes, I also had a theory, the same as you

I will try to remove the OAuth token in the Conf database from one user and then write here about the results

I didn't find where this token is in the database, but with one of the users with this problem, we went to Confluence in his profile - settings - opened the list of oauth access keys (and there were 2 of them, apparently the old and the new). Both were revoked and this key was re-created from Jira - it didn't help :(

Now I noticed that if the user goes to the "profile" - "tools" and then "view oauth access tokens". there we see the inscription "applications do not use your account to access jira data"

Unless somebody here can provide a safe way to flush/refresh the tokens, then I would advice you to get in contact with Atlassian support and explain what you did with user directories to them.

I can't reproduce your problem to confirm the way forward, but I generally suspect the old OAuth tokens - again though, I don't know the exact steps to do here without being able to test and confirm it, or dig around the logs/tables myself.

Radek, thank`s! 

I described my last problem in the upper answer