Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-41559

Some REST calls return 200 with no body and AUTHENTICATED_FAILED

XMLWordPrintable

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      For the moment this bug(s) was only reported OnDemand and we do have some reasons to believe that is also related to the server load.

      Expected behaviour: return a JSON response.

      Problems:

      • 200 means success and should never have an empty body. Empty body success responses are supposed to use code 204 – http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
      • An empty body is an invalid JSON response, this not being allowed.
      • If it is an authentication failure, this MUST return a 401 or 403 code.
      • This is not a real authentication failure because we are 100% sure that the credentials are right (using basic_auth).
      • If the server is not able to respond due to other causes it MUST reply with a 503 code and optionally with a Retry-After header that tell the client when to retry the request.

      As stated above this bug uncovers several serious HTTP standard deviations, probably caused by several broken pieces of code.

      It may be useful not remark this response header and the fact that, so far, all reports were happening while using basic_auth

      'x-seraph-loginreason': 'OUT, AUTHENTICATED_FAILED'

      Atlassian support suggested, as a temporary workaround, to use alternative authentication options. Still our tests proved that other auth ways are even more prone to fail. Also BASIC_AUTH is documented in several places as the recommended authentication to use with REST, that being one of the reasons we call it REST.

        1. Authenticated-Failed.zip
          21 kB
        2. modified-pycontrib.zip
          114 kB

            [JRASERVER-41559] Some REST calls return 200 with no body and AUTHENTICATED_FAILED

            Dorene Watson added a comment -

            Having the same issue in Jira Server

            Dorene Watson added a comment - Having the same issue in Jira Server

            Moxarth Rathod added a comment - - edited

            Facing the same issue while calling an endpoint `/projects` with an invalid username/service account.

            Moxarth Rathod added a comment - - edited Facing the same issue while calling an endpoint `/projects` with an invalid username/service account.

            Madison added a comment -

            Having the same issue. 

             

            Madison added a comment - Having the same issue.   

            Matthew Bradbury added a comment -

            Having the same issue on Jira Server

             

            Matthew Bradbury added a comment - Having the same issue on Jira Server  

            Jason Kemp added a comment -

            Has there been an update to correcting the problem on either Crowd or Jira side?

            Jason Kemp added a comment - Has there been an update to correcting the problem on either Crowd or Jira side?

            Daniel Rauf added a comment -

            Hey alexander.weickmann!

            We have an idea of what's happening and are tackling the issue on the Crowd's side at the moment.

            There's a race condition that can cause concurrent Basic Auth requests to fail with a 500 error. Our Crowd engineers are working on changing the way we handle the Basic Auth requests to fix this. A workaround, for now, would be to use OAuth based requests.

            Then, on the Jira's side, we do not handle the 500 error from Crowd correctly. We set the error header, but do not change the response code, which results in an empty 200 response. Unfortunately, a fix is not straightforward, because the response object passes so many levels of abstraction. Thus, we are focusing on fixing the root cause (handling of Basic Auth requests) for now, without prioritizing this bug in Jira.

            I hope this answers some of your questions.

            Daniel Rauf added a comment - Hey alexander.weickmann ! We have an idea of what's happening and are tackling the issue on the Crowd's side at the moment. There's a race condition that can cause concurrent Basic Auth requests to fail with a 500 error. Our Crowd engineers are working on changing the way we handle the Basic Auth requests to fix this. A workaround, for now, would be to use OAuth based requests . Then, on the Jira's side, we do not handle the 500 error from Crowd correctly. We set the error header, but do not change the response code, which results in an empty 200 response. Unfortunately, a fix is not straightforward, because the response object passes so many levels of abstraction. Thus, we are focusing on fixing the root cause (handling of Basic Auth requests) for now, without prioritizing this bug in Jira. I hope this answers some of your questions.

            Deleted Account (Inactive) added a comment -

            Any news on this from official side? Running into this when performing Gatling performance tests (about 10% of requests fail due to this).

             

            Deleted Account (Inactive) added a comment - Any news on this from official side? Running into this when performing Gatling performance tests (about 10% of requests fail due to this).  

            thebradness added a comment -

            Haven't seen this listed so I'll post it in case it helps someone:

            I was having this same problem (200 status, no response body, AUTH_FAILED).

            Local Jira server. 

            When we create accounts, we leave the password blank and it authenticates to active directory.

            I was using my active directory account the whole time. As soon as I created a local account that wasn't in AD (with a password) it worked fine.

            thebradness added a comment - Haven't seen this listed so I'll post it in case it helps someone: I was having this same problem (200 status, no response body, AUTH_FAILED). Local Jira server.  When we create accounts, we leave the password blank and it authenticates to active directory. I was using my active directory account the whole time. As soon as I created a local account that wasn't in AD (with a password) it worked fine.

            Rob Russo added a comment - - edited

            Finally I fixed this issue. Definitely a bug on their part. What's happening here is that they're using CSRF/XSRF protection on the endpoint. What does this mean for you?

            Essentially you need to create a session before you can make a request. Here's my code using Node JS and the request module:

             

            Sorry if it's messy. The important part is the request.jar() method, which creates a session called cookieJar. This cookieJar object is then passed with each request, ensuring the CSRF token is passed with each response.

             

            var request = require('request');/* GET home page. */
            router.get('/', function(req, res, next) {
            {{ var cookieJar = request.jar();}}var options = { method: 'GET',
            {{ url: 'https:/test.atlassian.net/wiki/rest/api/content',}}
            {{ jar: cookieJar,}}
            {{ qs:}}
            {{ { type: 'page',}}
            {{ title: 'title' },}}
            {{ headers:}}
            {{ {'cache-control': 'no-cache',}}
            {{ authorization: 'Basic yourEncodedAuthHere } };}}request(options, function (error, response, body) {
            {{ if (error) throw new Error(error);}}
            {{ request(options, function (error, response, body) {}}
            {{ if (error) throw new Error(error);}}
            {{ console.log(body);}}
            {{ });}}
            {{ });}}res.send('hello');
            });

            Rob Russo added a comment - - edited Finally I fixed this issue. Definitely a bug on their part. What's happening here is that they're using CSRF/XSRF protection on the endpoint. What does this mean for you? Essentially you need to create a session before you can make a request. Here's my code using Node JS and the request module:   Sorry if it's messy. The important part is the request.jar() method, which creates a session called cookieJar. This cookieJar object is then passed with each request, ensuring the CSRF token is passed with each response.   var request = require('request'); /* GET home page. */ router.get('/', function(req, res, next) { {{ var cookieJar = request.jar();}} var options = { method: 'GET', {{ url: 'https:/test.atlassian.net/wiki/rest/api/content',}} {{ jar: cookieJar,}} {{ qs:}} {{ { type: 'page',}} {{ title: 'title' },}} {{ headers:}} {{ {'cache-control': 'no-cache',}} {{ authorization: 'Basic yourEncodedAuthHere } };}} request(options, function (error, response, body) { {{ if (error) throw new Error(error);}} {{ request(options, function (error, response, body) {}} {{ if (error) throw new Error(error);}} {{ console.log(body);}} {{ });}} {{ });}} res.send('hello'); });

            Bill Gray added a comment -

            I, too, am getting this.  PHP 5.3 using Curl (using the "@" method.

            Bill Gray added a comment - I, too, am getting this.  PHP 5.3 using Curl (using the "@" method.

              Unassigned Unassigned
              73f0b2e75f82 Sorin Sbarnea (Citrix)
              Affected customers:
              78 This affects my team
              Watchers:
              74 Start watching this issue

                Created:
                Updated: