REST API calls are returning '401 Unauthorized' after Atlassian Account is enabled in the instance

Summary

After Atlassian Accounts is enabled the REST API calls are failing returning 401 Unauthorized if Google apps or SSO are used to log-into the instance.

In the response header you can see:

X-Seraph-LoginReason: AUTHENTICATED_FAILED

According to JIRA REST API Example Cookie based Authentication:

When you get an error response from JIRA, you can check for the presence of an X-Seraph-LoginReason header in the response, which will contain more information. A value of AUTHENTICATION_DENIED or AUTHENTICATED_FAILED means the application rejected the login without even checking the password, which most commonly indicates that JIRA's CAPTCHA feature has been triggered.

However, since Google Apps or SSO are used to log-into the instance, the user is never prompted the captcha and therefore the failed passwords attempts counter is never reset.

Environment

JIRA v1000.1043.1

Steps to Reproduce

1. Have a JIRA instance already configured to use Google for authentication.
2. Enable Atlassian Accounts and verify the email.
3. Try to authenticate REST API calls using the credentials that always worked

Expected Results

The correct response or a meaningful error message is returned

Actual Results

You get 401 unauthorized. The response header looks like:

HTTP/1.1 401 Unauthorized
Server: nginx
Date: Thu, 08 Jun 2017 13:53:40 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-AREQUESTID: **********
X-Seraph-LoginReason: AUTHENTICATED_FAILED

In the logs the below exception can be found:

ERROR [atlassian.usermanagement.aid.AtlassianIdServiceImpl] Error verifying credentials for user@host.com
....
java.lang.RuntimeException: AidErrorEntity{errorMessages=[{"errorMessages":["Reached number of invalid password attempts for user user@host.com"],"errors":{},"errorCodes":{},"globalErrorCodes":["REACHED_NUMBER_OF_INVALID_PASSWORD_ATTEMPTS"]}], errors={}}

Workaround

A) Reset the password for the user in id.atlassian.com by going to:

• https://id.atlassian.com/manage/change-password

If this is not applicable because you didn't have a password previously set in id.atlassian.com and therefore you cannot use the change-password form. Then do the following:

1. Go to https://id.atlassian.com/login/resetpassword
2. Enter you email, complete the CAPTCHA and click on Send
3. Once you receive the password reset email, do not click on the button to Access but on the link below that says "reset password".
4. Fill up the new password and you are done.

B) Use Cookie-based Authentication.

1. If you're on Chrome, you can install an extension called cookies.txt
2. Then, log into your instance and click on the extension
3. Copy the cookie information (the data shown in the extension) and save it to a text file
4. Use the cookie stored in the text file to authenticate REST API calls by using the -b argument in Curl.
   Example:

   curl -b path/of/file/cookie.txt -H "Content-Type: application/json"  -X GET https://example.atlassian.net/rest/api/2/issue/TEST-1