問題

Jira is connected to Confluence through application links successfully, But when trying to link a Jira issue from confluence, or a Confluence page from a Jira issue, it fails with : OAuth authentication failed: signature_invalid

Searching a Confluence page from Jira works fine, but linking the page to the Jira issue fails.

The following appears in the atlassian-jira.log

2019-01-03 01:11:12,073 http-nio-8080-exec-14 ERROR user 111x1111x11 aaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [c.a.j.p.link.confluence.LinkConfluencePage] Invalid response from getting the pageId: OAuth authentication failed: signature_invalid

診断

環境

• Jira is connected to Confluence using Application links.

• Jira and Confluence are running behind a reverse proxy.

Diagnostic Steps

• Need to enable extra logging in Jira to diagnose the issue:

  • Enable Jira HTTP access logs from Jira's logging and profiling page.

  • Enable the HTTP dump logs.

• • In the same page, under Default Loggers click Configure please add the package org.apache.http and set the log level to DEBUG.
    
    

• The Jira logs show the below output:

  2019-07-01 11:00:00,059 http-nio-8080-exec-22 DEBUG user 11x111111x1 aaaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [o.apache.http.wire] http-outgoing-4562 >> "GET /display/RED/RSS+Watchdog?xoauth_requestor_id=user HTTP/1.1[\r][\n]"
  2019-07-01 11:00:00,059 http-nio-8080-exec-22 DEBUG user 11x111111x1 aaaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [o.apache.http.wire] http-outgoing-4562 >> "Authorization: OAuth oauth_token="", oauth_consumer_key="jira%aaaaaaa111-1111-aaaa-1111-11111aaaaa11", oauth_signature_method="RSA-SHA1", oauth_timestamp="1562641237", oauth_nonce="11111aaa-1111-aaaa-aaaaa-11111111111_11111111111111111", oauth_version="1.0", oauth_signature="WZ4KXd%2B5FZr3Pzja%2hjdskhkjdhkjsdhjkhdjhdsjhdjhjhshdjhjhjhdjhnnb$djkkjdkjkdjkdjkjhjkhjhjhjhjhjjhjhjhjhjhjhjklvjjd%2F2lu7J%2FnuogJqKUndB0Hc%2BBdn9F1I9G7fv04gxDPI2DQWfNF9tZ5aoB07gtJ2oWbVHXa%2B7clac%2FHNHPjkjjjkjkjhghghghggytyvgfgf%3D%3D"[\r][\n]"
  2019-07-01 11:00:00,059 http-nio-8080-exec-22 DEBUG user 11x111111x1 aaaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [o.apache.http.wire] http-outgoing-4562 >> "Host: confluence.localdomain[\r][\n]"
  2019-07-01 11:00:00,059 http-nio-8080-exec-22 DEBUG user 11x111111x1 aaaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [o.apache.http.wire] http-outgoing-4562 >> "Connection: Keep-Alive[\r][\n]"
  2019-07-01 11:00:00,059 http-nio-8080-exec-22 DEBUG user 11x111111x1 aaaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [o.apache.http.wire] http-outgoing-4562 >> "User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_201)[\r][\n]"
  2019-07-01 11:00:00,059 http-nio-8080-exec-22 DEBUG user 11x111111x1 aaaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [o.apache.http.wire] http-outgoing-4562 >> "Accept-Encoding: gzip,deflate[\r][\n]"
  2019-07-01 11:00:00,059 http-nio-8080-exec-22 DEBUG user 11x111111x1 aaaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [o.apache.http.wire] http-outgoing-4562 >> "[\r][\n]"
  2019-07-01 11:00:00,067 http-nio-8080-exec-22 DEBUG user 11x111111x1 aaaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [o.apache.http.wire] http-outgoing-4562 << "HTTP/1.1 401 [\r][\n]"
  2019-07-01 11:00:00,067 http-nio-8080-exec-22 DEBUG user 11x111111x1 aaaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [o.apache.http.wire] http-outgoing-4562 << "Content-Length: 874[\r][\n]"
  2019-07-01 11:00:00,067 http-nio-8080-exec-22 DEBUG user 11x111111x1 aaaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [o.apache.http.wire] http-outgoing-4562 << "Content-Type: application/x-www-form-urlencoded;charset=UTF-8[\r][\n]"
  2019-07-01 11:00:00,067 http-nio-8080-exec-22 DEBUG user 11x111111x1 aaaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [o.apache.http.wire] http-outgoing-4562 << "WWW-Authenticate: OAuth realm="https%3A%2F%2Fconfluence.localdomain"[\r][\n]"
  2019-07-01 11:00:00,067 http-nio-8080-exec-22 DEBUG user 11x111111x1 aaaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [o.apache.http.wire] http-outgoing-4562 << "Server: Microsoft-HTTPAPI/2.0[\r][\n]"
  2019-07-01 11:00:00,067 http-nio-8080-exec-22 DEBUG user 11x111111x1 aaaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [o.apache.http.wire] http-outgoing-4562 << "Www-Authenticate: OAuth realm="https%3A%2F%2Fconfluence.localdomain", oauth_problem="signature_invalid", oauth_signature="WZ4KXd%2B5FZr3Pzja%2hjdskhkjdhkjsdhjkhdjhdsjhdjhjhshdjhjhjhdjhnnb$djkkjdkjkdjkdjkjhjkhjhjhjhjhjjhjhjhjhjhjhjklvjjd%2F2lu7J%2FnuogJqKUndB0Hc%2BBdn9F1I9G7fv04gxDPI2DQWfNF9tZ5aoB07gtJ2oWbVHXa%2B7clac%2FHNHPjkjjjkjkjhghghghggytyvgfgf%3D%3D", oauth_signature_base_string="GET%26https%253A%252F%252Fconfluence.localdomain%252Fdisplay%252FRED%252FRSS%25252BWatchdog%26oauth_consumer_key%253Djira%aaaaaaa111-1111-aaaa-1111-11111aaaaa11%2526oauth_nonce%11111aaa-1111-aaaa-aaaaa-11111111111_11111111111111111oauth_signature_method%253DRSA-SHA1%2526oauth_timestamp%253D1562641237%2526oauth_requestor_id%253Duser", oauth_signature_method="RSA-SHA1"[\r][\n]"
  2019-07-01 11:00:00,067 http-nio-8080-exec-22 DEBUG user 11x111111x1 aaaaaa 203.0.113.10 /secure/LinkConfluencePage.jspa [o.apache.http.wire] http-outgoing-4562<< "Date: Tue, 09 Jul 2019 08:34:17 GMT[\r][\n]"

  
  Confluence is sending a 401 bad request with an Oauth problem of signature_invalid.

  Checking the Confluence logs, we see an error being logged as below:

  2019-07-01 11:00:00,067 WARN [http-nio-8090-exec-6] [oauth.serviceprovider.internal.AuthenticatorImpl] logOAuthProblem Problem encountered authenticating OAuth client for url "https://confluence.localdomain/display/RED/RSS%2BWatchdog", error was "signature_invalid", with parameters "{oauth_problem=signature_invalid, oauth_signature=WZ4KXd+5FZr3Pzja%2hjdskhkjdhkjsdhjkhdjhdsjhdjhjhshdjhjhjhdjhnnb$djkkjdkjkdjkdjkjhjkhjhjhjhjhjjhjhjhjhjhjhjklvjjd%2F2lu7J%2FnuogJqKUndB0Hc+Bdn9F1I9G7fv04gxDPI2DQWfNF9tZ5aoB07gtJ2oWbVHXa+7clac%2FHNHPjkjjjkjkjhghghghggytyvgfgf==, oauth_signature_base_string=GET&https%3A%2F%2Fconfluence.localdomain%2Fdisplay%2FRED%2FRSS%252BWatchdog&oauth_consumer_key%3Djira%aaaaaaa111-1111-aaaa-1111-11111aaaaa11%26oauth_nonce%3D11111aaa-1111-aaaa-aaaaa-11111111111_11111111111111111%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1562641237%26oauth_version%3D1.0%26xoauth_requestor_id%3Duser, oauth_signature_method=RSA-SHA1}"

  Looking at the 2 logs, the JIRA output and Confluence above Warning, you can see that the signature string logged in Confluence is not identical to what is logged into Jira logs.

  The Confluence logged signature string is actually URL decoded, this shouldn’t be the case.

原因

In this specific issue, the root cause turns out to be reverse proxy running in front of Confluence.

The proxy is doing an extra unexpected URL decoding/encoding for the URL and query string sent by Jira, this is not accounted for when calculating the signature string from the base string and thus, when Confluence tries to match the signature string it fails.

Microsoft Web Application Proxy (WAP) shipped with Windows Server 2012 R2 has a known bug that could cause this issue: KB3042127.

Apache 2.2 also seemed to have similar problems with mod_rewrite when used as a proxy: Bug 23295.

ソリューション

Ensure that the reverse proxy is not doing any extra encoding/decoding steps for query strings passing through it.

If you are using Microsoft WAP reverse proxy on Windows 2012, please install the fix KB3042127.

If you are using Apache 2.2, please upgrade to latest version and ensure mod_rewrite is configured properly, also check if the rewrite rules has the mod_rewrite flag NE added to them to avoid extra encoding at the proxy.