-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
1.0.2
-
Minor
Problem
When a remote application tries to obtain an access token using PKCE workflow Jira blocks the request expecting a client secret. While the whole purpose of "Proof Key for Code Exchange" is to not use stored secrets.
Environment
- Jira 9.15.2
Steps to Reproduce
- Create an incoming application link on Jira
- Generate a code verifier and a code challenge for the remote application
- Consent on the link , GET https://JIRA-HOST/jira/plugins/servlet/oauth2/consent?client_id=V1&redirect_uri=V2&response_type=code&scope=V3&code_challenge_method=S256&code_challenge=V4
- Copy the code from the redirection URL from the previous step , copy the code verifier from the second step
- Send a POST request to : https://JIRA-HOST/jira/rest/oauth2/latest/token?client_id=V1&code=V2&grant_type=authorization_code&redirect_uri=V3&code_verifier=V4
Expected Results
Jira will return an access token to be used by the remote application with response code 200
{
"scope": "SYSTEM_ADMIN",
"access_token": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6ImY2MTViMTdiNDVjMzMxMDU2MTBmMmMwZjQ0N2MwM2E5In0.geCLYxFBbJOOuQa1Z3wpLWl4w-M49l6b76aAKm_6Kzg",
"token_type": "bearer",
"expires_in": 3600,
"refresh_token": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6ImIzYjlmODg0N2M2ODdhYjcwMzRkZmUzYWYxODUzZWI1In0.mFoOTFD1OIhFt7u9i5Ge2AP9fG_8DmGmuyleGkftUrQ"
}
Actual Results
Jira returns 401 asking for client_secret
Workaround
Following Setting properties and options on startup add the value
-Datlassian.oauth2.provider.validate.client.secret=false
Notes
- Using the mentioned workarround will stop Jira from verifying all the stored client_secrets , this might have a global security impact so be sure to use the workarround only if all remote apps should work only with the less secure PKCE method
- causes
-
ECOHELP-39584 Loading...
- is cloned by
-