OAuth error oauth_problem=signature_invalid

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

この記事はアトラシアンのサーバー製品にのみ適用されます。クラウドとサーバー製品の違いについてはこちらをご確認ください。

問題

When creating an application link, or using functionality that uses an application link, the applications aren't able to authenticate to each other.

The following appears in the application log:

oauth_problem=signature_invalid

診断

環境

  • Two applications are connected together using Application Links
  • The authentication method used is OAuth

原因

The Application URL of the link does not match the URL that the remote application is reporting. This can be caused by:

  • The Base URL on the remote application is set to something other than the Application URL defined on the link
  • A reverse proxy or port forwarding is configured, and the "Host" header is reporting the wrong host name or port
  • If you are using NGINX as the reverse proxy and using the proxy_cache  directive 
  • The useBodyEncodingForURI tomcat parameter in the <confluence-install>/conf/server.xml is set to true

In this scenario, the affected applications will usually display other problems as well.

ソリューション

ベース URL

  • Ensure the Base URL is correct for each application.

Application URL

  • The Application URL should match the Base URL of the other application unless you're bypassing a reverse proxy.

  • If the Application URL does not match the Base URL (and you're not bypassing a reverse proxy) then delete and recreate the Application Link.

Reverse Proxy

  • If using a reverse proxy or port forwarding, ensure the application is correctly configured for use with a reverse proxy.

NGINX Reverse Proxy with  proxy_cache directive

NGINX caching rewrites HEAD requests to GET requests by default which will interfere with application link communication between Atlassian products.

  • Workaround 1: Do not use the proxy_cache  directive in the Nginx configuration
  • Workaround 2: If the proxy_cache  directive is required, then add this to the NGINX configuration which will allow caching to remain enabled without breaking OAuth communication:

    proxy_cache_convert_head   off;
    proxy_cache_key            $scheme$request_method$proxy_host$request_uri;

Tomcat

  1. Look for the following part in <confluence-install>/conf/server.xml.

    <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
     maxThreads="48" minSpareThreads="10"
     enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
     protocol="org.apache.coyote.http11.Http11NioProtocol" 
     useBodyEncodingForURI="true"/>
  2. If the useBodyEncodingForURI is in the server.xml, remove the parameter or set it to false

    <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
     maxThreads="48" minSpareThreads="10"
     enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
     protocol="org.apache.coyote.http11.Http11NioProtocol" 
     useBodyEncodingForURI="false"/>

説明 When creating an application link, or using functionality that uses an application link, the applications aren't able to authenticate to each other.
製品 Jira, Confluence, Bamboo, Bitbucket, Fisheye
プラットフォーム サーバー
最終更新日: 2018 年 12 月 10 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.