Cannot connect mattermost to jira using Jira plugin due to bad expiration timestamp

[AndreiLopatenco]

The installation of the plugin went successfully, however, I couldn't connect the mattermost account with jira account and I get the same issue all the time in a new window, where I'm logging into my Jira Cloud account:

could not get user info for client, err: No response returned: Get "https://jira.atlassian.net/rest/api/2/myself": oauth2: cannot fetch token: 400 Bad Request
Response: {"error":"invalid_grant","error_description":"Expiration timestamp too far in the future [was 135 seconds from now; please set `exp` to no more than 60 seconds after issue time]"}

Whenever I try the same URL by pasting into the browser, where I'm already logged in - it works well.

Please let me know if this is something I could fix on my own as I couldn't find a way to change the timestamp expiration.

Many thanks.

[DHaussermann]

Hi @AndreiLopatenco I have not seen this issue. But, I'd like to try and reproduce it. If I understand correctly, you can only connect your user when using a browser that's already authenticated in Jira?

Can you please provide some additional information?

• What version of the Jira plugin are you running?
• Is this Jira Cloud or Jira Server your trying to connect to?
• You're doing this via a browser and not the desktop app correct?
• Can you confirm that on your first attempt at connecting the user, you're accessing your Mattermost server at the same url that the Jira app is pointed to?

[AndreiLopatenco]

hi @DHaussermann,

Thanks for coming back to me.
Basically I cannot connect my user from mattermost at all, when I type /jira connect - a new browser window opens up with the Jira login page. I log in there and immediately after logging in - I see the error message. I can, however, copy the link from the error message (the one with the rest/api/2/myself at the end) and paste it in a browser where I'm logged in already, which gives me a json response.

What version of the Jira plugin are you running?

The latest at the time of writing, i.e. 2.4.0

Is this Jira Cloud or Jira Server your trying to connect to?

Jira Cloud

You're doing this via a browser and not the desktop app correct?

I tried both, via the Mattermost macOS desktop app version 4.5.2 (4.5.2.6864) and via browser. Note that it's the same browser I'm already logged into Jira but it still throws that error.

Can you confirm that on your first attempt at connecting the user, you're accessing your Mattermost server at the same url that the Jira app is pointed to?

Not sure I got this question, could you rephrase it please?

[DHaussermann]

Thanks @AndreiLopatenco
Sorry, that last question was unclear. I just want to make sure that you always access your Mattermost server from the same URL. So it's not the case that you installed your application in jira pointing to 1 URL and are trying to connect your user from a different URL.

A few other question just for some more context...

• Do you know if this occurs with multiple users or, do you only have the 1 available to test with?
• Have you tried /jira disconnect first and and then /jira connect to see if this resolves your issue?
• Once you do connect (by pasting the URL in a new browser) If you log into Mattermost in a fresh browser session, do you still see the connect option in the post menu or do you see the create and attach options?

[AndreiLopatenco]

hi @DHaussermann,

Thanks for the clarifications, It's all clear now.

I just want to make sure that you always access your Mattermost server from the same URL. So it's not the case that you installed your application in jira pointing to 1 URL and are trying to connect your user from a different URL.

Yes, there's only one instance of the Mattermost server and one Jira instance

Do you know if this occurs with multiple users or, do you only have the 1 available to test with?

Unfortunately I've got just one user to test with

Have you tried /jira disconnect first and and then /jira connect to see if this resolves your issue?

Yes, also tried /jira uninstall and then /jira install and /jira connect again but with no luck

Once you do connect (by pasting the URL in a new browser) If you log into Mattermost in a fresh browser session, do you still see the connect option in the post menu or do you see the create and attach options?

When I copy and paste the https://{jira-instance}.atlassian.net/rest/api/2/myself link - I get the following JSON:

{
	"self": "https://{jira-instance}.atlassian.net/rest/api/2/user?accountId=557058:2806d13a-6e3b-4abd-bef3-1801e5de154f",
	"accountId": "557058:2806d13a-6e3b-4abd-bef3-1801e5de154f",
	"emailAddress": "email@address.com",
	"avatarUrls": {
		"48x48": "https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net/{link}",
		"24x24": "https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net/{link-2}",
		"16x16": "https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net/{link-3}",
		"32x32": "https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net/{link-4}"
	},
	"displayName": "Andrei Lopatenco",
	"active": true,
	"timeZone": "Europe/Chisinau",
	"locale": "en_US",
	"groups": {
		"size": 7,
		"items": []
	},
	"applicationRoles": {
		"size": 2,
		"items": []
	},
	"expand": "groups,applicationRoles"
}

I, however, still cannot connect, I am just able to get the above JSON, which, supposedly, doesn't work when accessed when I type /jira connect in the Mattermost input field

Please let me know if that makes sense at all?

[DHaussermann]

@AndreiLopatenco Yes I think I understand a bit better. So, pasting the URL is not a work-around and your not able to connect your user at all. In that case one more thing you can try as a troubleshooting step is to reinstall the app on the Jira side as well if you have not already.

I would do the following:

1. Use /jira uninstall to remove the installed instance from Mattermost.
2. Navigate to the applications config in Jira and remove the app there.
3. Start over from Mattermost with /jira install cloud <your Jira URL> Then copy the URL you get to for the .json file
4. As an isolation step - you can paste this url into a new browser tab and make sure the json displays normally in your browser. (you should not get a 404 or 500)
5. Copy the .json URL and add this over again as an app on the Jira side. Ensure you get the success message that your app has been installed.
6. As an isolation step you can also try connecting from Mattermost in an incognito browser session to see if this chganges the behavior

I'm sure most of this is already working or you would not have seen the connect option appear. But, hopefully steps 4. and 6. might turn up some more information.
From my end, I can try an explore Jira Cloud config to see if anything seems relevant. I'm curious if it's possible there is some oAuth config option we don't support.

[AndreiLopatenco]

hi @DHaussermann,

Thanks for the steps, however, I faced the same issue.
Step 1. executed with no issues
Step 2. executed with no issues
Step 3. executed with no issues
Step 4. executed with no issues. I got the following config json:

{
	"key": "mattermost_https_{mattermost-URL}",
	"name": "Mattermost Plugin (https://{mattermost-URL}/)",
	"description": "Integrates Jira with Mattermost for in-place interactions and notifications",
	"vendor": {
		"name": "Mattermost",
		"url": "https://github.com/mattermost"
	},
	"baseUrl": "https://{mattermost-URL}/plugins/jira",
	"links": {
		"self": "https://{mattermost-URL}/plugins/jira/ac/atlassian-connect.json",
		"homepage": "https://www.mattermost.com"
	},
	"authentication": {
		"type": "jwt"
	},
	"apiMigrations": {
		"gdpr": true
	},
	"lifecycle": {
		"installed": "/ac/installed",
		"uninstalled": "/ac/uninstalled"
	},
	"scopes": [ "READ", "WRITE", "ACT_AS_USER" ],
	"modules": {
		"generalPages": [
			{
				"url": "/ac/user_redirect.html",
				"name": {
					"value": "User mapping and configuration page"
				},
				"key": "user-redirect",
				"location": "none"
			}
		]
	}
}

Step 5. executed with no issues.

I still get the same error message when I type /jira connect within mattermost:

Since it says: Response: {"error":"invalid_grant","error_description":"Expiration timestamp too far in the future [was 135 seconds from now; please set exp to no more than 60 seconds after issue time]"}
Is there any timestamp set up in the /jira connect call that sets the timestamp 135 seconds rather than 60? Would you think that can be adjusted somehow?

Many thanks

[mickmister]

Tracing the code a bit, it seems this exp value is being set to 180 seconds in the future by an open-source library we are using called atlassian-jwt:

issuedAt := time.Now()
expiresAt := issuedAt.Add(180 * time.Second)

return &AtlassianClaims{
	qsh,
	jwt.StandardClaims{
		IssuedAt:  issuedAt.Unix(),
		ExpiresAt: expiresAt.Unix(),
		Issuer:    c.Key,
	},
}

which is using another library jwt-go, that implements the structure that Atlassian describes here.

type StandardClaims struct {
	Audience  string `json:"aud,omitempty"`
	ExpiresAt int64  `json:"exp,omitempty"` // Here is the `exp` value
	Id        string `json:"jti,omitempty"`
	IssuedAt  int64  `json:"iat,omitempty"`
	Issuer    string `json:"iss,omitempty"`
	NotBefore int64  `json:"nbf,omitempty"`
	Subject   string `json:"sub,omitempty"`
}

The atlassian-jwt library is setting the expiration to issued time + 180 seconds, which doesn't quite agree with the error message we are seeing here, but the context of the data structure etc. certainly matches the error when nothing else in our codebase does. I'd also like to add that the Atlassian docs state that this value must not exceed 60 seconds, as the error message explains.

I can create a build of this plugin with that library patched to set the expiration to only 60 seconds. @AndreiLopatenco Is this something you'd be willing to test out?

[AndreiLopatenco]

Hi @mickmister,

Absolutely, just let me know when you have the build and I'll give it a try.

Cheers!

[mickmister]

You can find a version with this change here:
https://github.com/mickmister/mattermost-plugin-jira/releases/tag/2.4.0-jwt
You can download the jira-2.4.0.tar.gz file there, and upload it via the system console to install the plugin.

The relevant commits for this change, made on top of the plugin's 2.4.0 release:
mickmister@584d892
mickmister/atlassian-jwt@5b254d7

@AndreiLopatenco Please let me know if you have any questions. Thanks for filing this issue, and for your cooperation!

[AndreiLopatenco]

hi @mickmister,

I have just tried using the latest build but I get the same issue.

I have as well removed the installed plugin and did a fresh install via System Console but that didn't change anything I'm afraid.

Is there anything else I could try here?

[mickmister]

@AndreiLopatenco Thanks for trying the build. It seems something may have changed on Jira Cloud's side with the authentication process. I'm looking into it now.

[mickmister]

Hi @AndreiLopatenco, are you able to reproduce this on a Mattermost instance running in a different environment?

[BlueSky-fur]

Any news on this, latest mattermost version still running into this issue :/

[mickmister]

Hi @BlueSky-fur, thanks for letting us know this is still occurring. This issue should be resolved once #949 and #953 are released. No other updates on this currently

[raghavaggarwal2308]

Hi @BlueSky-fur, thanks for letting us know this is still occurring. This issue should be resolved once #949 and #953 are released. No other updates on this currently

@BlueSky-fur The above two PRs are merged and release, can you please confirm if you are still facing the issue or now, so that we can work on this accordingly?