-
Suggestion
-
Resolution: Fixed
-
None
Problem Definition
With Jira 8.14, personal access tokens can now be created as a means to access the REST API in Jira Server/Data Center. While these tokens are a useful authorization alternative to access the REST API, one limitation that appears is that attachments that exist on Jira issues are not accessible via these tokens.
Attempting to use curl (with verbose switch) to gather this attachment can show that the request is getting redirected to a login page.
curl --verbose -H "Authorization: Bearer [redacted token]" -O http://localhost:8141/secure/attachment/10000/filename.png % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 8141 (#0) > GET /secure/attachment/10000/filename.png HTTP/1.1 > Host: localhost:8141 > User-Agent: curl/7.64.1 > Accept: */* > Authorization: Bearer [redacted] > < HTTP/1.1 302 < X-AREQUESTID: 1026x388x1 < Referrer-Policy: strict-origin-when-cross-origin < X-XSS-Protection: 1; mode=block < X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < Content-Security-Policy: frame-ancestors 'self' < Strict-Transport-Security: max-age=31536000 < Set-Cookie: atlassian.xsrf.token=[redacted]_lout; Path=/ < Location: /login.jsp?permissionViolation=true&os_destination=%2Fsecure%2Fattachment%2F10000%2Ffilename.png&page_caps=&user_role= < Content-Length: 0 < Date: Thu, 21 Jan 2021 23:06:21 GMT
Suggested Solution
Either:
- Create a REST API endpoint that can in some manner provide the binary data stream of the attachments themselves in such a manner that this REST APi endpoint could be called and those attachments downloaded using this personal access token
OR - Change the check that appears to be forcing any such requests using this token for authentication/authorization so that these requests can be made successfully without redirecting to a login page.
Why this is important
This is something you can do in Jira Cloud today with a REST API token. The fact this does not work in Server is a lack of feature parity. Personal access tokens would be more useful if they could be used in this manner to also gather attachments on Jira server issues.
This is also something that works if your curl call uses a basic authorization (supplying username and password with the -u switch)
Workaround
No workaround is currently available.
- relates to
-
CONFSERVER-66485 Unable to download attachments in Confluence using a personal access token
-
- Closed
-
-
JRASERVER-72378 I want to be able to download user uploaded avatars using personal access tokens
- Closed
- is cloned by
-
TPI-405 Loading...
- mentioned in
-
Page Loading...