Hi @Ed Letifov _TechTime - New Zealand_ 

Thank you very much for your honest response.

I will check with my support team on this and will confirm if we all can connect once over the phone if that works from your side.

Certainly. We (TechTime) are an Atlassian Gold Solution Partner in New Zealand. Feel free to reach to our support via the webchat on our website.

@Ed Letifov _TechTime - New Zealand_ 

Sure. Thank you so very much.

Hi @Phill Fox 

No the URL does not contain xxxx.atlassian.net. It looks like https://gojira.OrganizationName.cloud/jira

Please find attached the 'About Jira' screenshot. For support, this community link has been mentioned.

Hi @Phill Fox ,

URL looks like -- https://gojira.companyname.cloud/jira

JIRA Version in 'About Jira' -- Jira v8.5.4

Please let me know if you need any further information

Thanks @Rakesh15 so this tells us that you are using an on-premise version of Jira and it is a relatively recent one at version 8.5.4 (current version is 8.8.1) and the UI will be different between this and the Cloud versions that you are probably comparing with. 

So going back to your problem of how do you authenticate against this instance of Jira as it is protected by a SSO using your company smart card. 

The first thing to do is to talk to your administrators to find which App they have installed to manage the SSO with the company smart card as each has different approaches to how to handle system accounts such as the one you are trying to setup for your direct access to the REST API.  

You will find the names of some examples with this search https://marketplace.atlassian.com/search?product=jira&query=SSO

Once you know which App is in use you can then research the specifics for that App. 

Sorry I cannot be of much more help without knowing the exact configuration of your solution. 

Phill

Hi @Phill Fox ,

I think we are using OAuth. I have even implemented this authentication process in many other applications developed by our organization.

To give you more info I am explaining here few details. 

We enter JIRA url, this prompts us for smart card authentication. Once we have done that I could see a JSESSIONID under application tab in developer tools. This JSESSIONID i can use in postman to access the rest api.

Now, to valid Oauth authentication we must enter our smart card which is not possible when we want our custon rest api to communicate with JIRA Rest API.

So I am totally blocked now. I do not see anyway to achieve this. I have even read cookie based authentication. For that I should generate API token and that option is not available.

Please suggest on this. I am ready to  give you all the information you need.

Hi Rakesh,

API Tokens are only available on Atlassian Cloud. But looking at the history of this, then your backend is Jira Server/Datacenter.

Server/Datacenter does not support API Tokens without a 3rd party app. We have developed one - here is a link to it: https://marketplace.atlassian.com/apps/1221586/api-token-authentication-jira?hosting=server&tab=overview

It may still leave you with the Issue about how to create one, depending on if it is passed through to your companies UI. There is also a way to create tokens via REST : https://wiki.resolution.de/doc/api-token-authentication/1.2.x/admin-guide/rest-api

You should be able to use an established JSESSIONID to create the token though.

Cheers,
    Chris

Hi @Christian Reichert (resolution) 

Thank you very much for the above details. 

My understanding goes something as follows

My rest api can use these curl commands to a create a token whenever it receives a request from end user. This token will further be used to pass it as basic authentication to jira rest api i.e. 

Authorization : {basic username:generated token}

(Base64encoded) 

 This in turn will give me JSessionId. 

Please correct me if I am wrong. 

Hi @Christian Reichert (resolution) 

I tried to create token https://wiki.resolution.de/doc/api-token-authentication/1.2.x/admin-guide/rest-api

However, it failed to handshake. 

If I can generate a JESSIONID somehow then I can easily access the rest api. Please suggest.

Hi Rakesh15,

let me try to explain a bit more.

You seem to be using Jira Server/Data-Center. Once you connect that to an identity provider (i.e. with your Smartcard Solution), then the User records in Jira don't have any Password anymore. Which is the reason why you cannot use the normal basic auth.

API Tokens are not supported by Jira Server/Data-Centre (you looked at the Cloud Documentation there). To be able to use API Tokens, then your Jira admin needs to install a 3rd Party plugin like ours. Only after an Admin installed (and there needs to be purchase after the evaluation period if you want to keep using it) will the REST API to create tokens be available as described in our documentation.

To *use* a token, you don't need a JSESSIONID - the whole point of a token is, that you can use it instead of a password with basic auth.

However, since you say your company has totally rewritten the UI - you may not see the necessary menu entries to create a token after an admin installed our App.
If that is the case, my suggestion was to use our plugin's REST API to create a token. However to be able to use that REST API you need to be authenticated (catch-22). You could achieve that authentication though by logging into JIRA via your Smartcard in the Browser and then from the Browser Dev Tools get the JSESSIONID of your browser session and use that in the REST call to create the API Token.
That you only need to do once.

After you have the token, you can use it in your script. Use your normal Username and where you would put the password in the basic auth, use your Token.

I hope this clarifies things a bit.

Cheers,
Chris

Hi @Christian Reichert (resolution) 

I really really appreciate your time and patience for giving such a clean explanation. 

I will go as you said. I will use pugins rest api. If so, is it free or a licensed one. Could please share the link to know how to access and use that plugin

Once again thank you very much 😊

Hi @Christian Reichert (resolution) 

Thank you. 

One last question I have. I know I am troubling you more. Please excuse me on this. 

I have JessionID with me now. When I am clicking on create api token it is asking for label and it is generating token. I don't get any prompt you use this JSessionId. 

Please help me. 

Hi @Christian Reichert (resolution) 

Steps which I followed are below - 

1. Got the JSESSIONID

2.Postman entered url as https://gojira.companyname.cloud/jira/rest/de.resolution.apitokenauth/latest/user/token

3. Added cookie with JSESSIONID under headers.

Response is 404.  I am doubting the url. Could you please confirm this.

Hi!

Can you confirm that the admin has actually installed our plugin on your instance? https://marketplace.atlassian.com/apps/1221586/api-token-authentication-jira?hosting=server&tab=overview

Cheers,
Chris

Hi @Christian Reichert (resolution) 

In 'About Jira', I can see the below which means Jira Plugins are there I believe.

Hi @Christian Reichert (resolution) 

After having some discussions with support team here, I got to know that the plugin which u mentioned is not installed here. Could please suggest any other way if available.

One more thing which I noticed in jira is Issue Collector.

When I created an issue collector, it gave me a script. Using this small script, I was able to create issue. This script is even creating JSESSION ID for me without asking for smart card. This is really strange. How is this possible.

If this small script can do that, why cannot I use the same authentication steps which the script is using.

The alternatives to the app Christian has suggested are other SSO enabling apps you'll need to add.  Frankly the one Christian mentions is right at the top of the list of ones I'd recommend to do this.

The issue collectors are using a non-authenticated session to set some defaults and they're making very specific assumptions about the incoming data and how to process it.  They're not logging in in the way you want to.

Hi @Nic Brough -Adaptavist- ,

Thank you for the response.

If I want to go for 2FA authentication app, will the steps be same. I mean

1. Admin of JIRA has to install this app.

2. As a user of JIRA, I should be able to create access token.

3. I can pass this access token as password.

Isn't it? Could you please clarify this.

Hi Rakesh,

I am very sorry but you are asking to do something that the Atlassian Application in your configuration cannot do out of the box.

Every solution will involve that you admin as to do something - usually purchasing and installing a 3rd party application.

If you go for a 2FA App, which you install in Jira - that will not enable you to get a API token. None of the local 2FA apps I know has that feature.

Unless you start creating local Users with local passwords, which you can then use for basic authentication, you need an App like ours that adds the capability for tokens.

Cheers,
Chris

Hi @Christian Reichert (resolution) 

Ahh. This makes sense. 

But you mentioned that I can go for some other sso enabling apps listed there. 

I need to somehow achieve this and I am sure admin is not ready for any license one for now. 

If you have any way left for me, please show me that path. 

Hi!

I'm sorry - I got no good idea that would not require an additional licensed plugin.

Cheers,
Chris

@Christian Reichert (resolution) 

Thank you very much for your time and responses.