Menu

OpenID Authentication for JIRA and Confluence

Hi, I'm really happy that you are evaluating OpenID Authentication

I tried to make this plugin self-explanatory but if I failed in that and you have any doubts or questions please contact me so I can answer them and also improve the plugin.

Cheers, Pawel

Security considerations

This plugin allows to create accounts on your system that have randomly generated password. When a user logs in it gets a remember me cookie stored in his browser - as long as the user doesn't log out or the cookie expires (usually in two weeks) the browser will allow him to access your application.

Usage tracking

To support development of this plugin and understand better users limited usage tracking will be introduced in version 4.0.0. This plugin will report to Google Analytics only if JIRA analytics is enabled.

The plugin will report following information:

  • number and type of providers installed in the system (once a day)
  • configuration changes - adding/removing/editing the provider
  • occurence of an error during authentication
  • initial installment of the plugin

You can always refer to source code to check how this information is gathered.

FAQ

Can I use this for Service Desk?

Yes, you can log into JIRA and then use Service Desk. If you want to limit users to Service Desk only you can use this plugin

I'm unable to use my custom OAuth 2 authentication provider

The custom OAuth authentication built into the plugin was created for Google Apps and may not work with some other implementations. If you want to use your own provider and it doesn't work out of the box please contact me for support. I will happily fix the plugin to work with your provider.

I'm getting HTTP/405 when authenticating with Google Apps

You probably didn't enable Google+ API in Google Developer Console.

I'm getting SSL errors

There's couple of reasons you could get them:

  • you're using a self signed certificate
  • you're using a certificate signed by Certification Authoriting that isn't known for the Java version you use
  • you're using 2048 bit certificate key which is only supported by latest Java 1.7 and 1.8 releases

Can this plugin synchronize all users or groups?

No, it cannot. It will synchornize users details during authentication only. It does not synchronize users or groups in the background. Also this plugin doesn't act as Crowd User Directory.

Is this plugin compatible with custom SSOSeraphAuthenticator?

No, it is not. Users found that they do not work well together. I don't have plans to support custom authenticators at this time.

Plugin doesn't work in JIRA 7.3.0

If you use recent PostgreSQL release you can face com.atlassian.activeobjects.internal.ActiveObjectsInitException. If you do please upgrade JDBC driver because the one shipped with JIRA is too old.

I'm getting "Oops, you've found a dead link" when I try to log in

Let's imagine that you have configured Google provider (or any other to be specific), you then access your JIRA and click Google button. In return you get HTTP/404 server response and an error page. When inspecting the location bar in the browser you can still see that it is your JIRA's address.

Lets imainge you host your JIRA on https://jira.mycompany.com

You can see that the browser points to https://jira.mycompany.com/o/oauth2/auth?scope=openid+email+profile&response_type=code&state=d3fc17ad-1a4b-4449-8eb6-0d0d3eca9809&redirect_uri=https%3A%2F%2Fjira.mycompany.com%2Fopenid%2Foauth2-callback%2Fgoogle&prompt=select_account&client_id=…

This means that you host JIRA behind reverse proxy and the proxy rewrote the address back to your JIRA instead of passing it through, because plugin returned following address:

https://accounts.google.com/o/oauth2/auth?scope=openid+email+profile&response_type=code&state=d3fc17ad-1a4b-4449-8eb6-0d0d3eca9809&redirect_uri=https%3A%2F%2Fjira.mycompany.com%2Fopenid%2Foauth2-callback%2Fgoogle&prompt=select_account&client_id=…

Please fix reverse proxy configuration and the plugin will function properly.

How to debug the plugin?

Go to Logging and profiling and use Configure logging level for another package to enable logging for this plugin. Use com.pawelniewiadomski for package name and select TRACE for logging level. Once configured the plugin will log additional information to atlassian-jira.log