Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Self-hosted Jira behind Okta #241

Closed
agzam opened this issue Mar 28, 2019 · 16 comments
Closed

Self-hosted Jira behind Okta #241

agzam opened this issue Mar 28, 2019 · 16 comments

Comments

@agzam
Copy link

agzam commented Mar 28, 2019
edited
Loading

Can someone please tell me if this is possible at all?
How do I connect to a self-hosted Jira instance sitting behind Okta.
@fizz
Copy link

fizz commented Apr 3, 2019

This works! I just logged into a Jira Server instance with Okta in front of it. I set endpoint: and login: in ~/.jira.d/config.yml. Try any command (like jira ls), it should ask for your password and... just work.

@agzam
Copy link
Author

agzam commented Apr 4, 2019
edited
Loading

I've tried all different combinations of user: and login: and still can't make it work it keeps saying: "Login denied". The password is right, what else does this thing need?

@agzam
Copy link
Author

agzam commented Apr 8, 2019

I wonder if I can use token-based auth by just copy pasting token from browser into config file?

@noahbetzen-wk
Copy link

I'm in the same boat: #231

Unfortunately I've not found a solution yet.

@tedwardd
Copy link

tedwardd commented May 7, 2019

I got it working with Okta. It's a hack and involves a modified version of the JSESSIONID hijacking that @anthonyrisinger found in #111. Steps are below:

$ #### BEGIN WITH NO **config.js** or **cookies.js** in $HOME/jira.d
$ # Creates cookies.js
$ jira -e http://jira.example.com issuetypes -p ECOE < /dev/null
? Jira Password [admin]:  ERROR EOF

$ #### LOGIN TO JIRA WITH CHROME
$ #### IN DEVELOPER TOOLS SWITCH TO NETWORK TAB
$ #### STEAL **atlassian.xsrf.token** FROM ANY REQUEST HEADER
$ jq --arg xsrf ATLASSIAN.XSRF.TOKEN_GOES_HERE -c 'map(select(.Name=="atlassian.xsrf.token")|.Value=$xsrf|.Raw|=sub("(?<==)[[:alnum:]]+";$xsrf))' ~/.jira.d/cookies.js > ~/.jira.d/cookies.js.new && mv ~/.jira.d/cookies.js{.new,}

$ #### CREATE **config.yml**
$ cat << EOF >> $HOME/.jira.d/config.yml
user: user.name
login: user.name@example.com
endpoint: https://jira.example.com
EOF

$ #### ATTEMPT TO LOGIN ONCE, FAIL AND CTRL-C
$ jira login
$ ^C

$ #### IN DEVELOPER TOOLS, NETWORK TAB AGAIN
$ #### STEAL **JSESSIONID** FROM ANY REQUEST HEADER
$ jq --arg jid JSESSIONID_GOES_HERE -c 'map(select(.Name=="JSESSIONID")|.Value=$jid|.Raw|=sub("(?<==)[[:alnum:]]+";$jid))' ~/.jira.d/cookies.js > ~/.jira.d/cookies.js.new && mv ~/.jira.d/cookies.js{.new,}

$ jira ls

@agzam
Copy link
Author

agzam commented Jun 2, 2019
edited
Loading

I'm still not getting it. This is what I did:

  • created ~/.jira/config.yml with

    endpoint: https://jira.something.com
    user: me
    login: me@something.com

  • tried jira login, it prompts for password, I press Ctrl-C

  • this creates ~/.jira.d/cookies.js file that looks like this:

    [
  {
    "Name": "atlassian.xsrf.token",
    "Value": "AAAA-BBBB-CCCC-DDDD|22b1003be3284b4fbf29-96f618aa4e0f",
    "Path": "/",
    "Domain": "jira.something.com",
    "Expires": "2019-06-09T16:02:25.330078548-07:00",
    "RawExpires": "",
    "MaxAge": 0,
    "Secure": true,
    "HttpOnly": false,
    "Raw": "atlassian.xsrf.token=AAAA-BBBB-CCCC-DDDD|22b1003be3284b4fbf29-96f618aa4e0f|lout;path=/;Secure",
    "Unparsed": null
  }
]

  • I went to the browser, checked the network tab, and I was surprised: the value in Cookie request header is the same as in "Value" field in cookies.js

Now, I understand that go-jira somehow was able to get that info from Jira, but it's missing JSESSIONID. And thus you need to run the second jq command, but no matter what I put where you say JSESSIONID_GOES_HERE, it results in an empty array. @k4k What am I doing wrong?

Could you please post the content of cookies.js (with private stuff garbled of course), I feel I'm getting close, but can't figure out exact keys that required for it to work.

@base698
Copy link

base698 commented Jun 22, 2019

@agzam if you use push auth with okta, I created a login script wrapper for the command line using puppeteer. It generates the cookies file in .jira.d/cookies.js

@nlieb
Copy link

nlieb commented Jul 9, 2019

@base698 could you post the shape of the expected cookies.js file?

@base698
Copy link

base698 commented Jul 9, 2019
edited
Loading

Using https://github.com/GoogleChrome/puppeteer I'm saving the cookies file after login.

[{"Name":"AWSALB","Value":"zkdkdk....","Path":"/","Domain":"jira.mydomain.com","Expires":"2019-07-08T14:42:20.386393999-07:00","RawExpires":"Mon, 08 Jul 2019 21:42:20 GMT","MaxAge":0,"Secure":false,"HttpOnly":false,"SameSite":0,"Raw":"AWSALB=zkdkdk.....; Expires=Mon, 08 Jul 2019 21:42:20 GMT; Path=/","Unparsed":null},{"Name":"JSESSIONID","Value":"20FEEEE1099","Path":"/","Domain":"jira.mydomain.com","Expires":"0001-01-01T00:00:00Z","RawExpires":"","MaxAge":0,"Secure":true,"HttpOnly":true,"SameSite":0,"Raw":"","Unparsed":null},{"Name":"atlassian.xsrf.token","Value":"sometoken","Path":"/","Domain":"jira.mydomain.com","Expires":"0001-01-01T00:00:00Z","RawExpires":"","MaxAge":0,"Secure":true,"HttpOnly":false,"SameSite":0,"Raw":"","Unparsed":null}]

@agzam
Copy link
Author

agzam commented Jul 24, 2019
edited
Loading

Holy shit! @base698 This worked! It took me over 3 months but I got it (thanks to you guys) to work. Oh wow, this thing feels to be orders of magnitude faster that UI.

@coryb
Copy link
Contributor

coryb commented Jul 24, 2019

the debug template will dump in json, so jira view -t debug should do it.

@agzam
Copy link
Author

agzam commented Jul 24, 2019

@base698 Can you explain puppeteer script workflow? So it logs-in through okta, etc. I get that. But what do you do when it requires "Okta Verify" validation on the phone? That part I guess can't be easily automated, right?

@base698
Copy link

base698 commented Jul 24, 2019

It prints out "look at duo" and gives you time to hit the validation. There's probably a way to do an android emulator and automate it, but I just do that step manually now.

@agzam
Copy link
Author

agzam commented Jul 24, 2019

Cool, I'm gonna try to write a puppeteer script, if that takes me too long I may have to beg you to share your solution, but just for the sake of good sportsmanship/crafting don't do it just yet :)

@agzam
Copy link
Author

agzam commented Aug 4, 2019

@base698 I made it: https://github.com/agzam/jira-okta-puppet
It works. Not using headless mode at the moment, there's only one minor thing I have to fix, but it mostly works.

@agzam agzam closed this as completed Oct 5, 2019
@aberezin aberezin mentioned this issue Jun 3, 2020
Open
@AlJohri
Copy link

AlJohri commented Dec 6, 2021

I wrote an alternative tool in Python to work with non-okta SSO systems: get-browser-cookies.

Setup:

brew install jq
pipx install get-browser-cookies # or pip3 install --user get-browser-cookies

Run:

get-browser-cookies \
  --browser chrome \
  --domain JIRA_DOMAIN_HERE | \
	jq '{
		"Name": .name,
		"Value": .value,
		"Path": .path,
		"Domain": .domain,
		"Expires": .expires,
		"Secure": .secure}' | \
	jq -s '.' > ~/.jira.d/cookies.js

The above command populates ~/.jira.d/cookies.js with the necessary cookies from your browser of choice (firefox or chrome). Put this in a function in your zshrc or bash_profile to re-run when necessary.

You should now be able to run the Jira CLI!

@AlJohri AlJohri mentioned this issue Dec 26, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@fizz @coryb @base698 @tedwardd @agzam @AlJohri @nlieb @noahbetzen-wk