jira-cli: Fails to account for SSO logins

Describe the bug when using jira init it requests an email and immediately errors with 401 Unauthorized. This is, presumably, because at our company we use Single Sign On to authenticate, not our emails.

Short term suggestions:

  • document that SSO isn’t supported in the Readme (so that folks don’t bother installing it if they can’t use it)
  • ask what form of authentication the person uses before requesting the email and indicate that SSO isn’t supported if they choose it, or if it’s possible to determine that SSO is what’s configured when you query the server, just indicate that that’s the problem in the error message.

Please provide following details

  1. JiraCLI Version:
(Version="1.1.0", GitCommit="3b93e147eac468ad985bdece27469153b4bb2814", CommitDate="2022-08-14T08:10:40+00:00", GoVersion="go1.18.3", Compiler="gc", Platform="darwin/amd64")
  1. Are you using Jira cloud or on-premise jira server? Also mention the version for on-premise installation.
    Jira cloud
    
  2. What operating system are you using? Also mention version.
    macOS Monterey 12.6
    
  3. What terminal are you using? Also mention version.
    iterm2 build 3.5.0beta7
    

To Reproduce

Steps to reproduce the behavior:

  1. have a jira cloud account that uses SSO
  2. run jira init and give it a valid email address
  3. See error

Expected behavior I’d expect it to either work, or to provide me with an indication than SSO isn’t supported.

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 10
  • Comments: 16 (2 by maintainers)

Most upvoted comments

FWIW, I have a work JIRA instance with SSO (via Google Auth). These steps worked for me.

Hi @masukomi, I am also using jira-cli with SSO in my company but its a self-hosted Jira Server. I think it should work if are able to generate Personal Access Token (PAT).

Basically what I am doing is:

  • Set JIRA_AUTH_TYPE to bearer
  • Generate PAT (Click on your pic in Jira -> Profile -> Personal Access Tokens)
  • Set JIRA_API_TOKEN to the generated personal access token
  • Run jira init and use your email or username.

I am using Jira Cloud with Atlassian’s SSO and I just need to set this:

export JIRA_API_TOKEN=<the token>

Setting username and password in .netrc (without manually setting the token) leads to a ‘401 Unauthorized’ because jira init --debug tries to authenticate using Basic Auth, which I guess is not supported once you move to Atlassian’s SSO. When explicitly passing forcing Bearer Token auth with JIRA_AUTH_TYPE=bearer jira init --debug I see that the value of the bearer token is not sent along.

It’d be nice if we could set the JIRA_AUTH_TOKEN in the .config/.jira/.config.yml so I don’t have to have such a sensitive token in my env vars at all time. For now I have just created the following alias in my .bashrc/zsh config:

jira() {
  # launch in a (subshell) so the api token doesn't linger in env after running
  (source ~/.config/.jira/api_token.env && command jira $@)
}

the api_token.env file contains:

export JIRA_API_TOKEN=th3t0k3n

I ran into this today as well. @spprashant documented the workaround that unblocks me (don’t set JIRA_AUTH_TYPE)

I also can’t get this to work with SSO (Azure) with any combination I’ve tried:

  • I’ve tried exporting the env vars
  • I’ve tried using an API token
  • I’ve tried using a password
  • I’ve tried using the keychain password manager as described here
  • I’ve tried using the .netrc file

On macOS, installed via Homebrew. I see the following error:

✗ Received unexpected response '401 401' from jira. Please try again.

My .zshrc Is the position inside the file relevant?

JIRA_AUTH_TYPE=bearer
JIRA_API_TOKEN=<imagine my token here>

@Akorian You need to export them too, export JIRA_AUTH_TYPE=bearer, to make them available to other programs.