Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-74728

Jira and JSM Mail Handlers fail to connect to Google Mail Servers with POP 1h after they were configured with Oauth 2.0

      Issue

      When the Jira application is configured with an Incoming Mail Server using the combination of parameters below, any Mail Handler associated to this Mail Server will eventually fail to access the Mailbox 1 hour after the Mail Server was configured:

      • a Google Mail Server (Gmail)
      • the SECURE POP protocol
      • the Oauth 2.0 authorization method

      Note

      Even though this bug was raised for the Jira Incoming Mail Handler (configured in ⚙ > System > Incoming Mail), this bug also applies to the Jira Service Management (JSM) Mail handler (configured in JSM projects in Project Settings > Email Requests). This is because both types of Mail Handlers use the same logic to fetch/refresh Oauth 2.0 tokens

      Steps to replicate

      1. Configure an Oauth 2.0 integration using Google as the provider as per Configure an outgoing link in ⚙ > Applications > Application Links
      2. Configure a Mail Server in ⚙ > System > Incoming Mail using a Gmail Server, the SECURE POP protocol and the Oauth 2.0 integration configured earlier as the authentication method
        • Authorize the mail box
        • Test the connection
        • Save the Mail Server
      3. Configure a Mail Handler in ⚙ > System > Incoming Mail and associated it to the Mail Server configured earlier
      4. Verify that new incoming mails are converted into new Jira tickets (or new comments)
      5. Wait for 1h

      Expected results

      1 hour later, the Mail Handler should still work and convert new emails into new Jira tickets (or new comments).

      Actual results

      After 1 hour, the Jira Mail Handler will eventually fail to connect to the Google Mail Server and fetch new emails.

      The following error will is found in the file atlassian-jira-incoming-mail.log:

      2023-01-12 08:40:00,261+0000 ERROR [GMAIL Server] Caesium-1-3 anonymous    GMAIL Mail Handler GMAIL Mail Handler[10100]: Messaging Exception in service 'com.atlassian.jira.service.services.mail.MailFetcherService$MessageProviderImpl' when getting mail: Open failed
      javax.mail.MessagingException: Open failed;
            nested exception is:
          	java.io.IOException: STAT command failed: [AUTH] Invalid credentials.
      	at com.sun.mail.pop3.POP3Folder.open(POP3Folder.java:220) [jakarta.mail-1.6.5-atlassian-2.jar:1.6.5-atlassian-2]
      	at com.atlassian.jira.service.services.mail.MailFetcherService$MessageProviderImpl.getAndProcessMail(MailFetcherService.java:160) [jira-api-8.20.15.jar:?]
      	at com.atlassian.jira.service.services.mail.MailFetcherService.processMessages(MailFetcherService.java:388) [jira-api-8.20.15.jar:?]
      

      If the debugging package com.atlassian.mail.auth is enabled with the DEBUG level, the following error will be found in the file atlassian-jira-incoming-mail.log:

      2023-01-12 08:40:00,126+0000 DEBUG [GMAIL Server] Caesium-1-3 anonymous    GMAIL Mail Handler DEBUG POP3: AUTH XOAUTH2 using one line authentication format
      2023-01-12 08:40:00,227+0000 DEBUG [GMAIL Server] Caesium-1-3 anonymous    GMAIL Mail Handler DEBUG POP3: AUTH XOAUTH2 failed, THROW:
      2023-01-12 08:40:00,227+0000 DEBUG [GMAIL Server] Caesium-1-3 anonymous    GMAIL Mail Handler java.io.EOFException: OAUTH2 authentication failed: {"status":"400","schemes":"Bearer","scope":"https://mail.google.com/"}
      2023-01-12 08:40:00,228+0000 DEBUG [GMAIL Server] Caesium-1-3 anonymous    GMAIL Mail Handler at com.sun.mail.pop3.Protocol$OAuth2Authenticator.doAuth(Protocol.java:731)
      2023-01-12 08:40:00,228+0000 DEBUG [GMAIL Server] Caesium-1-3 anonymous    GMAIL Mail Handler at com.sun.mail.pop3.Protocol$Authenticator.authenticate(Protocol.java:486)
      2023-01-12 08:40:00,228+0000 DEBUG [GMAIL Server] Caesium-1-3 anonymous    GMAIL Mail Handler at com.sun.mail.pop3.Protocol.authenticate(Protocol.java:304)
      2023-01-12 08:40:00,228+0000 DEBUG [GMAIL Server] Caesium-1-3 anonymous    GMAIL Mail Handler at com.sun.mail.pop3.POP3Store.authenticate(POP3Store.java:432)
      

      Workaround

      The workaround consists in using the SECURE IMAP protocol instead of the SECURE POP protocol, since the bug does not occur when using such protocol.

      Please note that the integration GMAIL + SECURE IMAP + Oauth 2.0 is impacted by a different bug tracked in JRASERVER-74666. Because of that bug, even though the connection will no longer after 1h when switching to IMAP, it will fail after 30 days. Please refer to the workaround section of that bug to prevent this issue from happening after 30 days.

            [JRASERVER-74728] Jira and JSM Mail Handlers fail to connect to Google Mail Servers with POP 1h after they were configured with Oauth 2.0

            There are no comments yet on this issue.

              63999e271dab Pawel Cieszko
              jrey Julien Rey
              Affected customers:
              5 This affects my team
              Watchers:
              10 Start watching this issue

                Created:
                Updated: