Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-78353

POST method for /rest/auth/1/session doesn't work preventing using it for cookie-based authentication

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Answered
    • Icon: Low Low
    • None
    • 10.2.0, 10.2.1, 10.2.2, 10.3.0
    • REST API

      Issue Summary

      Starting from the 10.2 release, which introduced "New login experience with two-step verification", it is no longer possible to utilise the '/rest/auth/1/session' endpoint for session cookie generation, as described at "Cookie-based authentication".

      The problem affects only requests using POST verbs. Other methods (GET and DELETE) work fine:

      curl -s -u <username>:<password> -X GET https://<base_url>/rest/auth/1/session -H 'content-type: application/json'| jq
{
  "self": "https://<base_url>/rest/api/latest/user?username=<username>",
  "name": "<username>",
  "loginInfo": {
    "loginCount": 15,
    "previousLoginTime": "2024-12-18T16:01:03.449+0000"
  }
}

curl -s -w "\t HTTP Return Code: %{http_code}" -u <username>:<password> -X DELETE https://<base_url>/rest/auth/1/session -H 'content-type: application/json'
         HTTP Return Code: 204

      Steps to Reproduce

      1. Install Jira Data Center 10.2 or higher
      2. Try to generate a session cookie for further cookie-based authentication with the help of rest/auth/1/session 
        curl -X POST https://<base_url>/rest/auth/1/session -H 'content-type: application/json' -d '{"username": "<username>", "password": "<password>"}'

      Expected Results

      Based on the behaviour of previous versions and the fact that deprecation of cookie-based authentication hasn't been announced for Data Center, it would be expected that /rest/auth/1/session will work the same way as before "New login experience with two-step verification" feature was introduced

      Actual Results

      Despite the fact user is not enrolled on 2fa, an attempt to generate a session cookie fails with a reference to two-step verification enabled on instance:

      curl -X POST https://<base_url>/rest/auth/1/session -H 'content-type: application/json' -d '{ "username": "<username>", "password": "<password>" }'
{"message":"The request was rejected due to two-step verification being enabled on your instance."}

      Workaround

      If your customized tools utilising REST API are heavily relying on cookie-based authentication, you can revert to the legacy login form (pre-10.2 behaviour) by adding the below JVM parameter to your start-up arguments

      -Datlassian.authentication.legacy.mode=true

      Please note that the legacy login form doesn’t support two-step verification. You should only revert to it as a last resort or temporarily, as it degrades the security level on your instance (Manage two-step verification for your Atlassian account)

      An alternative solution would be switching from cookie-based to OAuth 2.0 and Personal Access Tokens(PAT) as recommended authentication method for REST API

              Unassigned Unassigned
              e7e12f16f891 Alexander Artemenko (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              19 Start watching this issue

                Created:
                Updated:
                Resolved: