Our organization has created a wrapper (my assumption because JIRA UI is complete different from Atlassian) for Jira and hosted in cloud. We use our company's provided smart card to login to that jira account and I have admin access. This is oauth authencation which is turn it's generating JSESSIONID. I can use this JSessionId to access the rest api in postman.
Now how can I have my own rest api which can make a call to jira rest api and fetch issue details.
I tried cookie based authencation it failed since it's on cloud. However i got to know that we can generate an api token in settings security. However as I mentioned our organization jira UI doesn't have that option under settings security.
If I have to use OAUTH, I cannot generate access token as we need to insert smart card and that ja not possible to interprete a request and create access token by entering smart card into reader.
I tried other links suggested in jira. However I could not achieve it.
Please be so kind to give a clear details on how can I achieve this. Sorry for such a lengthy question. Tried to give all information.
Our product EasySSO for Jira is one of the SSO apps for Jira Server/Data Center, and we do somewhat :) compete with the apps from Resolution. For other customers, we have successfully addressed requirements like 2FA with smart cards, where 2FA is done by a reverse proxy fronting the application and the authentication (including for REST requests) is passed to Jira via our HTTP Headers authenticator.
I want to echo what @Christian Reichert _resolution_ said - you are unlikely to solve this without a paid app from a 3rd party vendor.
However, I want to add another sentiment.
Apologies for being blunt, but it seems the is a LOT of misunderstandings or misconceptions on what is what in your setup and what is actually possible. At least this is how it comes out on our end. Also there is a security aspect to it - to me, the manipulations involving JSESSIONID cookies as you've described, sound very insecure in nature. Considering you are from an organisation that uses smart cards to protect services, have you actually had your Security Team look this over?
If you *really* want to solve this problem - consider involving a Solution Architect from your side, or at least someone from that support team you've mentioned AND a security team member AND getting an Atlassian Solution Partner into the room. What you are after is definitely possible, you'd be surprised how fast this can be solved if you get the right people involved and ask the right questions.
Hi @Ed Letifov _TechTime - New Zealand_
Thank you very much for your honest response.
I will check with my support team on this and will confirm if we all can connect once over the phone if that works from your side.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Certainly. We (TechTime) are an Atlassian Gold Solution Partner in New Zealand. Feel free to reach to our support via the webchat on our website.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Rakesh15
Would it be possible for you to attach a screenshot to your question (obfuscating any company sensitive information) so that we can try and recognise which version of Jira your company is using.
In particular it would be useful to see if the URL contains xxxx.atlassian.net and what the "About Jira" screen shows when you click on the help icon (?).
If your site is hosted at xxxx.atlassian.net then you can setup your security token by following the instructions at https://confluence.atlassian.com/cloud/api-tokens-938839638.html
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Phill Fox
No the URL does not contain xxxx.atlassian.net. It looks like https://gojira.OrganizationName.cloud/jira
Please find attached the 'About Jira' screenshot. For support, this community link has been mentioned.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Phill Fox ,
URL looks like -- https://gojira.companyname.cloud/jira
JIRA Version in 'About Jira' -- Jira v8.5.4
Please let me know if you need any further information
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks @Rakesh15 so this tells us that you are using an on-premise version of Jira and it is a relatively recent one at version 8.5.4 (current version is 8.8.1) and the UI will be different between this and the Cloud versions that you are probably comparing with.
So going back to your problem of how do you authenticate against this instance of Jira as it is protected by a SSO using your company smart card.
The first thing to do is to talk to your administrators to find which App they have installed to manage the SSO with the company smart card as each has different approaches to how to handle system accounts such as the one you are trying to setup for your direct access to the REST API.
You will find the names of some examples with this search https://marketplace.atlassian.com/search?product=jira&query=SSO
Once you know which App is in use you can then research the specifics for that App.
Sorry I cannot be of much more help without knowing the exact configuration of your solution.
Phill
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Phill Fox ,
I think we are using OAuth. I have even implemented this authentication process in many other applications developed by our organization.
To give you more info I am explaining here few details.
We enter JIRA url, this prompts us for smart card authentication. Once we have done that I could see a JSESSIONID under application tab in developer tools. This JSESSIONID i can use in postman to access the rest api.
Now, to valid Oauth authentication we must enter our smart card which is not possible when we want our custon rest api to communicate with JIRA Rest API.
So I am totally blocked now. I do not see anyway to achieve this. I have even read cookie based authentication. For that I should generate API token and that option is not available.
Please suggest on this. I am ready to give you all the information you need.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Rakesh,
API Tokens are only available on Atlassian Cloud. But looking at the history of this, then your backend is Jira Server/Datacenter.
Server/Datacenter does not support API Tokens without a 3rd party app. We have developed one - here is a link to it: https://marketplace.atlassian.com/apps/1221586/api-token-authentication-jira?hosting=server&tab=overview
It may still leave you with the Issue about how to create one, depending on if it is passed through to your companies UI. There is also a way to create tokens via REST : https://wiki.resolution.de/doc/api-token-authentication/1.2.x/admin-guide/rest-api
You should be able to use an established JSESSIONID to create the token though.
Cheers,
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Christian Reichert _resolution_
Thank you very much for the above details.
My understanding goes something as follows
My rest api can use these curl commands to a create a token whenever it receives a request from end user. This token will further be used to pass it as basic authentication to jira rest api i.e.
Authorization : {basic username:generated token}
(Base64encoded)
This in turn will give me JSessionId.
Please correct me if I am wrong.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Christian Reichert _resolution_
I tried to create token https://wiki.resolution.de/doc/api-token-authentication/1.2.x/admin-guide/rest-api
However, it failed to handshake.
If I can generate a JESSIONID somehow then I can easily access the rest api. Please suggest.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Rakesh15,
let me try to explain a bit more.
You seem to be using Jira Server/Data-Center. Once you connect that to an identity provider (i.e. with your Smartcard Solution), then the User records in Jira don't have any Password anymore. Which is the reason why you cannot use the normal basic auth.
API Tokens are not supported by Jira Server/Data-Centre (you looked at the Cloud Documentation there). To be able to use API Tokens, then your Jira admin needs to install a 3rd Party plugin like ours. Only after an Admin installed (and there needs to be purchase after the evaluation period if you want to keep using it) will the REST API to create tokens be available as described in our documentation.
To *use* a token, you don't need a JSESSIONID - the whole point of a token is, that you can use it instead of a password with basic auth.
However, since you say your company has totally rewritten the UI - you may not see the necessary menu entries to create a token after an admin installed our App.
If that is the case, my suggestion was to use our plugin's REST API to create a token. However to be able to use that REST API you need to be authenticated (catch-22). You could achieve that authentication though by logging into JIRA via your Smartcard in the Browser and then from the Browser Dev Tools get the JSESSIONID of your browser session and use that in the REST call to create the API Token.
That you only need to do once.
After you have the token, you can use it in your script. Use your normal Username and where you would put the password in the basic auth, use your Token.
I hope this clarifies things a bit.
Cheers,
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Christian Reichert _resolution_
I really really appreciate your time and patience for giving such a clean explanation.
I will go as you said. I will use pugins rest api. If so, is it free or a licensed one. Could please share the link to know how to access and use that plugin
Once again thank you very much 😊
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Christian Reichert _resolution_
Thank you.
One last question I have. I know I am troubling you more. Please excuse me on this.
I have JessionID with me now. When I am clicking on create api token it is asking for label and it is generating token. I don't get any prompt you use this JSessionId.
Please help me.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Christian Reichert _resolution_
Steps which I followed are below -
1. Got the JSESSIONID
2.Postman entered url as https://gojira.companyname.cloud/jira/rest/de.resolution.apitokenauth/latest/user/token
3. Added cookie with JSESSIONID under headers.
Response is 404. I am doubting the url. Could you please confirm this.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi!
Can you confirm that the admin has actually installed our plugin on your instance? https://marketplace.atlassian.com/apps/1221586/api-token-authentication-jira?hosting=server&tab=overview
Cheers,
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Christian Reichert _resolution_
In 'About Jira', I can see the below which means Jira Plugins are there I believe.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Christian Reichert _resolution_
After having some discussions with support team here, I got to know that the plugin which u mentioned is not installed here. Could please suggest any other way if available.
One more thing which I noticed in jira is Issue Collector.
When I created an issue collector, it gave me a script. Using this small script, I was able to create issue. This script is even creating JSESSION ID for me without asking for smart card. This is really strange. How is this possible.
If this small script can do that, why cannot I use the same authentication steps which the script is using.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The alternatives to the app Christian has suggested are other SSO enabling apps you'll need to add. Frankly the one Christian mentions is right at the top of the list of ones I'd recommend to do this.
The issue collectors are using a non-authenticated session to set some defaults and they're making very specific assumptions about the incoming data and how to process it. They're not logging in in the way you want to.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you for the response.
If I want to go for 2FA authentication app, will the steps be same. I mean
1. Admin of JIRA has to install this app.
2. As a user of JIRA, I should be able to create access token.
3. I can pass this access token as password.
Isn't it? Could you please clarify this.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Rakesh,
I am very sorry but you are asking to do something that the Atlassian Application in your configuration cannot do out of the box.
Every solution will involve that you admin as to do something - usually purchasing and installing a 3rd party application.
If you go for a 2FA App, which you install in Jira - that will not enable you to get a API token. None of the local 2FA apps I know has that feature.
Unless you start creating local Users with local passwords, which you can then use for basic authentication, you need an App like ours that adds the capability for tokens.
Cheers,
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Christian Reichert _resolution_
Ahh. This makes sense.
But you mentioned that I can go for some other sso enabling apps listed there.
I need to somehow achieve this and I am sure admin is not ready for any license one for now.
If you have any way left for me, please show me that path.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi!
I'm sorry - I got no good idea that would not require an additional licensed plugin.
Cheers,
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.