Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JRACLOUD-62515

The documentation for REST API Cookie authentication is incomplete (for Cloud)

    XMLWordPrintable

Details

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      Status Update

       Cookie-based authentication is deprecated 

      Jira Cloud has deprecated cookie-based authentication in favor of basic authentication with API tokens or OAuth. We strongly recommend you use either of these authentication methods in place of cookie-based authentication.

      See the deprecation notice for more information.

       

      The example JIRA REST API Example Cookie based Authentication page is incomplete, or at least the information in there is not sufficient for Cloud customers:

      According to above page it should be enough to get the value for JSESSIONID sending a request to jira/rest/auth/1/session and set it in the header of the successive requests in order to have it working.

      However, this is not true/not enough (at least in Cloud). Also other Cookies are returned in the header of the response containing the JSESSIONID value and in order to successfully use Cookie authentication you must provide all those Cookies in the successive requests.

      Example: (from: https://support.atlassian.com/browse/JST-218465 )

      In the first response I got back:

      Set-Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|d1f29197aefac82758df8ba7af6718590a4af86e|lout; Path=/; Secure
Set-Cookie: JSESSIONID=39EB1259A8CA92F7E62B8F4348AE9884; Path=/; Secure; HttpOnly
Set-Cookie: studio.crowd.tokenkey=""; Domain=.zaansmeisje.atlassian.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly
Set-Cookie: studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00; Domain=.zaansmeisje.atlassian.net; Path=/; Secure; HttpOnly

      Therefore in my successive request I set the same Cookies in the header then it works. If I only set the JSESSIONID value it fails returning "401 Unauthorized":

      -H "Content-Type: application/json" -H "Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|d1f29197aefac82758df8ba7af6718590a4af86e|lout; JSESSIONID=39EB1259A8CA92F7E62B8F4348AE9884; studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00;"

      Full request and response:

      $ curl -D- -H "Content-Type: application/json" -d '{"username":"dbonotto", "password":"********" }' -X POST https://zaansmeisje.atlassian.net/rest/auth/1/session

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 06 Sep 2016 10:32:55 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-AREQUESTID: 962x18637x1
X-ASEN: SEN-2330110
X-AUSERNAME: anonymous
X-ATENANT-ID: zaansmeisje.atlassian.net
X-Seraph-LoginReason: OUT
X-Seraph-LoginReason: OK
Cache-Control: no-cache, no-store, no-transform
X-Content-Type-Options: nosniff
Set-Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|d1f29197aefac82758df8ba7af6718590a4af86e|lout; Path=/; Secure
Set-Cookie: JSESSIONID=39EB1259A8CA92F7E62B8F4348AE9884; Path=/; Secure; HttpOnly
Set-Cookie: studio.crowd.tokenkey=""; Domain=.zaansmeisje.atlassian.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly
Set-Cookie: studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00; Domain=.zaansmeisje.atlassian.net; Path=/; Secure; HttpOnly
Strict-Transport-Security: max-age=315360000;includeSubDomains

{"session":{"name":"JSESSIONID","value":"39EB1259A8CA92F7E62B8F4348AE9884"},"loginInfo":{"loginCount":5,"previousLoginTime":"2016-09-06T15:55:51.499+0530"}}

      $ curl -D- -H "Content-Type: application/json" -H "Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|d1f29197aefac82758df8ba7af6718590a4af86e|lout; JSESSIONID=39EB1259A8CA92F7E62B8F4348AE9884; studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00;" -d '{"jql": "project = bussines","startAt": 0,"maxResults": 10}' -X POST https://zaansmeisje.atlassian.net/rest/api/2/search
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 06 Sep 2016 10:35:14 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-AREQUESTID: 965x18647x1
X-ASEN: SEN-2330110
X-Seraph-LoginReason: OK
X-ASESSIONID: bzwumf
X-AUSERNAME: dbonotto
X-ATENANT-ID: zaansmeisje.atlassian.net
Cache-Control: no-cache, no-store, no-transform
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID=6B31FCC71AECA3C950CFFABFD4E33FA1; Path=/; Secure; HttpOnly
Set-Cookie: studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00; Domain=.zaansmeisje.atlassian.net; Path=/; Secure; HttpOnly
Set-Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|8c4a4e66ff4d6c06489e6c506d636b95119b5237|lin; Path=/; Secure
Strict-Transport-Security: max-age=315360000;includeSubDomains

{"expand":"schema,names","startAt":0,"maxResults":10,"total":4,"issues":[{"expand":"operations,versionedRepresentations,editmeta,changelog,renderedFields","id":"11304","self":"https://zaansmeisje.atlassian.net/rest/api/2/issue/11304","key":"BUS-4","fields":{"issuetype":{"self":"https://zaansmeisje.atlassian.net/rest/api/2/issuetype/10200","id":"10200","description":"A task that needs to be done.","iconUrl":"https://zaansmeisje.atlassian.net/secure/viewavatar?size=xsmall&avatarId=10318&avatarType=issuetype","name":"Task","subtask":false,"avatarId":10318},"timespent":null,"project":{"self":"https://zaansmeisje.atlassian.net/rest/api/2/project/10900","id":"10900","key":"BUS","name":"bussines","avatarUrls":{"48x48":"https://zaansmeisje.atlassian.net/secure/projectavatar?avatarId=10324","24x24":"https://zaansmeisje.atlassian.net/secure/projectavatar?":........

      Workaround

      When calling the session endpoint just store all the cookie information in a file and use that to authenticate. E.g.:

      1. Store the cookie in a cookie jar: 
        curl -c cookie.txt -H "Content-Type: application/json" -d '{"username":"XXXXXXXXX", "password":"XXXXXXXXX" }' -X POST https://INSTANCE/rest/auth/1/session

OR

curl --cookie-jar cookie.txt -H "Content-Type: application/json" -d '{"username":"XXXXXXXXX", "password":"XXXXXXXXX" }' -X POST https://INSTANCE/rest/auth/1/session
      1. Use that to authenticate the successive REST calls: 
        curl -b cookie.txt --header "X-Atlassian-Token: no-check" -H "Content-Type: application/json" -X GET https://INSTANCE/rest/........

OR

curl --cookie cookie.txt --header "X-Atlassian-Token: no-check" -H "Content-Type: application/json" -X GET https://INSTANCE/rest/........

      Attachments

        Issue Links

          is related to

          Suggestion - JRACLOUD-63933 API Documentation for Cookie Based authentication needs update

          • Closed

          Suggestion - JRASERVER-62515 The documentation for REST API Cookie authentication is incomplete (for Cloud)

          • Gathering Interest

          Activity

            People

              istankiewicz Eve (Inactive)
              dbonotto Dario B
              Votes:
              4 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: