Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72019

I want to be able to download attachments in Jira using a personal access token

XMLWordPrintable

    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem Definition

      With Jira 8.14, personal access tokens can now be created as a means to access the REST API in Jira Server/Data Center. While these tokens are a useful authorization alternative to access the REST API, one limitation that appears is that attachments that exist on Jira issues are not accessible via these tokens.

      Attempting to use curl (with verbose switch) to gather this attachment can show that the request is getting redirected to a login page.

      curl --verbose -H "Authorization: Bearer [redacted token]" -O http://localhost:8141/secure/attachment/10000/filename.png
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8141 (#0)
> GET /secure/attachment/10000/filename.png HTTP/1.1
> Host: localhost:8141
> User-Agent: curl/7.64.1
> Accept: */*
> Authorization: Bearer [redacted]
> 
< HTTP/1.1 302 
< X-AREQUESTID: 1026x388x1
< Referrer-Policy: strict-origin-when-cross-origin
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-ancestors 'self'
< Strict-Transport-Security: max-age=31536000
< Set-Cookie: atlassian.xsrf.token=[redacted]_lout; Path=/
< Location: /login.jsp?permissionViolation=true&os_destination=%2Fsecure%2Fattachment%2F10000%2Ffilename.png&page_caps=&user_role=
< Content-Length: 0
< Date: Thu, 21 Jan 2021 23:06:21 GMT

      Suggested Solution

      Either:

      • Create a REST API endpoint that can in some manner provide the binary data stream of the attachments themselves in such a manner that this REST APi endpoint could be called and those attachments downloaded using this personal access token
        OR
      • Change the check that appears to be forcing any such requests using this token for authentication/authorization so that these requests can be made successfully without redirecting to a login page.

      Why this is important

      This is something you can do in Jira Cloud today with a REST API token. The fact this does not work in Server is a lack of feature parity. Personal access tokens would be more useful if they could be used in this manner to also gather attachments on Jira server issues.
      This is also something that works if your curl call uses a basic authorization (supplying username and password with the -u switch)

      Workaround

      No workaround is currently available.

              moles Marcin Oles
              aheinzer Andy Heinzer (Inactive)
              Votes:
              3 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: