Issue Summary

Jira does not check for existing incoming application links having the same value of Consumer Key when a new one is created. An existing incoming application link with the same value of Consumer Key becomes corrupted and can no longer be used to authenticate via OAuth.

Steps to Reproduce

1. Navigate to Cog Icon > Applications > Application links.
2. Enter the value http://example.com and click Create new link, then click Continue to dismiss the warning about no response being received.
3. Fill the form as follows:
   • Application Name: Example test app
   • Application Type: Generic Application
   • Service Provider Name: Example service provider
   • Consumer key: example
   • Shared secret: example
   • Request Token URL: http://example.com
   • Access token URL: http://example.com
   • Authorize URL: http://example.com
   • Create incoming link: checked
4. Click Continue, then fill the next form as follows:
   • Consumer Key: OauthKey
   • Consumer Name: Example Jira app
   • Public Key:

     -----BEGIN PUBLIC KEY-----
     MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo7WidwslulmH1Kbsj6fsGBYp1
     WhJKDiv0RvmeiWediTxsw/w18XuRhtnqNmx5poKdRo/cigPLI4IEDNeQj9CkTP5+
     ZJeG7TWvzpfmvjJXrMQXmx0uJe+ySXSKHYkR22wGFAbYQdVtP5aeuDiRrUNlwA1v
     3WYSuJxCY32RJeW/LwIDAQAB
     -----END PUBLIC KEY-----
     

1. Follow the steps from the section Step 2: Create the client of the developer document OAuth to obtain a test OAuth client.
   Use the following values when modifying the file PropertiesClient.java (changing JIRA_HOME is fine), otherwise there will be a mismatch between public and private keys:

       private final static Map<String, String> DEFAULT_PROPERTY_VALUES = ImmutableMap.<String, String>builder()
               .put(JIRA_HOME, "http://localhost:8080")
               .put(CONSUMER_KEY, "OauthKey")
               .put(PRIVATE_KEY, "MIICdw.....A=")
               .build();
   

1. Run the following command in the terminal to confirm OAuth is working correctly and an access token is obtainable:

   java -jar OAuthTutorialClient-1.0.jar requestToken
   

1. Repeat steps #1 (but with different URL) through #4 to create a second application link, this using the following values for the forms:
   • Application Name: Example test app
   • Application Type: Generic Application
   • Service Provider Name: Example service provider
   • Consumer key: example
   • Shared secret: example
   • Request Token URL: http://example.com
   • Access token URL: http://example.com
   • Authorize URL: http://example.com
   • Create incoming link: checked
2. Click Continue, then fill the next form as follows:
   • Consumer Key: OauthKey
   • Consumer Name: Example Jira app
   • Public Key:

     -----BEGIN PUBLIC KEY-----
     MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzAwxAwuG3NFmsR8UcRTmssHLE
     03jL3BYGKMGtmNCZ+IezWYard9yIcxMAOiw2UC3QMYgekdsSMrr286rObxq/z97h
     mKCZ9Zs+HjPf2fVKzn1qr04xT7VLL6VEKtcTeNloG8emDcy9+gvpGlNL83obbdOK
     Y8dN+RfuDvjxqEA4IwIDAQAB
     -----END PUBLIC KEY-----
     

1. Run the command below to check if an access token is still obtainable:

   java -jar OAuthTutorialClient-1.0.jar requestToken
   

Expected Results

Jira prevents the new incoming application link with the same Consumer Key as the previous one to be added, and both incoming application links can be used to authenticate via OAuth.

Here's an example of the expected results from the test client:

java -jar OAuthTutorialClient-1.0.jar requestToken

Token:          zJSLoCqwbndQoBiOkWnpaON94ZYPItJA
Token secret:   cQroo87wdGUHk5KxgjLvZg96tO79W2Ia
Retrieve request token. Go to http://localhost:8080/plugins/servlet/oauth/authorize?oauth_token=zJSLoCqwbndQoBiOkWnpaON94ZYPItJA to authorize it.

Actual Results

The first added incoming application link becomes corrupted, and it is no longer possible to use it for OAuth authentication.

java -jar target/OAuthTutorialClient-1.0.jar requestToken

Nov 05, 2020 11:30:30 AM org.apache.http.impl.client.DefaultRequestDirector handleResponse
WARNING: Authentication error: Unable to respond to any of these challenges: {oauth=WWW-Authenticate: OAuth realm="http%3A%2F%2Flocalhost%3A8080", oauth_problem="signature_invalid", oauth_signature="3OLuLV0HTFI7xPzpK2pUEUVTVlt0KKXJkXdz8Gi%2BUx0r83UEdJzl2hmolRwP8%2FJmn2QqMxVpEt%2BY%2F2tDiVuaRry9VVTyjFzSczwOW%2BpbXfRHN5KQBWaGkEQ2L2umZDiZh0NN2ujwvSwYymYcOIYUNWTCCJFO2%2FOmw1wQFqairZI%3D", oauth_signature_base_string="POST%26http%253A%252F%252Flocalhost%253A8080%252Fplugins%252Fservlet%252Foauth%252Frequest-token%26oauth_callback%253Doob%2526oauth_consumer_key%253DOAuth1%2526oauth_nonce%253D30b1905707d22678%2526oauth_signature_method%253DRSA-SHA1%2526oauth_timestamp%253D1604586630", oauth_signature_method="RSA-SHA1"}
com.google.api.client.http.HttpResponseException: 401
oauth_problem=signature_invalid&oauth_signature=3OLuLV0HTFI7xPzpK2pUEUVTVlt0KKXJkXdz8Gi%2BUx0r83UEdJzl2hmolRwP8%2FJmn2QqMxVpEt%2BY%2F2tDiVuaRry9VVTyjFzSczwOW%2BpbXfRHN5KQBWaGkEQ2L2umZDiZh0NN2ujwvSwYymYcOIYUNWTCCJFO2%2FOmw1wQFqairZI%3D&oauth_signature_base_string=POST%26http%253A%252F%252Flocalhost%253A8080%252Fplugins%252Fservlet%252Foauth%252Frequest-token%26oauth_callback%253Doob%2526oauth_consumer_key%253DOAuth1%2526oauth_nonce%253D30b1905707d22678%2526oauth_signature_method%253DRSA-SHA1%2526oauth_timestamp%253D1604586630&oauth_signature_method=RSA-SHA1
    at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1070)
    at com.google.api.client.auth.oauth.AbstractOAuthGetToken.execute(AbstractOAuthGetToken.java:73)
    at com.atlassian.oauth.client.example.JiraOAuthClient.getAndAuthorizeTemporaryToken(JiraOAuthClient.java:37)
    at com.atlassian.oauth.client.example.OAuthClient.handleGetRequestTokenAction(OAuthClient.java:69)
    at com.atlassian.oauth.client.example.OAuthClient.execute(OAuthClient.java:51)
    at com.atlassian.oauth.client.example.ClientMain.main(ClientMain.java:18)

Workaround

Please, use different Consumer Key for different applications.

In case the Consumer Key is set by application, you might try to modify it in its AO tables. Example for Microsoft Teams for Jira:

1. Install Microsoft Teams for Jira to the Jira server/DC
2. Modify AO_A07C39_APP_KEYS  table following way. You would have to modify ATLAS_ID as per record in AO_A07C39_APP_KEYS. 

 update AO_A07C39_APP_KEYS SET CONSUMER_KEY='MyTestKey'  WHERE ATLAS_ID = 'c43b3ef1-062c-4c39-b258-4288dfebc23a'

3. Here 'MyTestKey' can be any random text which should be unique across application link. Also ATLAS_ID could be different per setup.
4. Reinstall Microsoft Teams for Jira app to apply new value
5. Create App link according to the instruction.
6. Do the connection from Teams side