OpenID Connect authentication fails with "Exchanging authorization tokens failed"
プラットフォームについて: Data Center のみ - この記事は、Data Center プラットフォームのアトラシアン製品にのみ適用されます。
この KB は Data Center バージョンの製品用に作成されています。Data Center 固有ではない機能の Data Center KB は、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
要約
After enabling OpenID Connect (OIDC) for a Jira environment, the user is redirected to the IdP and enter their credentials.
However, the login fails and the user is prompted with the Jira login screen again.
環境
- Jira DC 8.6+ (or Jira Server with a DC license)
- The SSO for Atlassian Server and Data Center app on version 4.0.1+ (with support for OIDC)
診断
The Jira server logs show the following exception:
2020-11-13 14:48:59,153+0100 http-nio-8080-exec-24 url:/jira/plugins/servlet/oidc/callback ERROR anonymous 888x315970x1 uz0qod 53.61.238.57,53.31.55.76 /plugins/servlet/oidc/callback [c.a.p.a.i.web.filter.ErrorHandlingFilter] Exchanging authorization tokens failed.
com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Exchanging authorization tokens failed.
at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.exchangeAuthorizationCodeForTokens(OidcConsumerServlet.java:196)
at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getOidcTokens(OidcConsumerServlet.java:163)
at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.doGet(OidcConsumerServlet.java:117)If you scroll down, you will see the exception cause logged. Here's an example of a 403 returned by an outbound proxy:
Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 403 Forbidden"原因
Unlike SAML which is purely browser-based, the OpenID authentication flow requires server-to-server communication to exchange authorization tokens. This happens at step 7 of the diagram below:
For the authentication to work, the Jira server/node must be able to reach the IdP. The error will occur if connectivity can't be established.
If the cause of the connectivity failure is proxy-related, it suggests that the outbound proxy used by Jira either doesn't allow connectivity or doesn't have an exception for the IdP host via the -Dhttp.nonProxyHosts JVM argument.
ソリューション
Either allow server-to-server connectivity between Jira and the IdP or, if you're using an outbound proxy, add an exception for the IdP host.
- In a DC environment, the change has to be done on all nodes.
- With proxy exceptions, you may run into the issue described in Jira server ignores http.nonProxyHosts JVM option.