jira-cli: Fails to account for SSO logins

Describe the bug when using jira init it requests an email and immediately errors with 401 Unauthorized. This is, presumably, because at our company we use Single Sign On to authenticate, not our emails.

Short term suggestions:

document that SSO isn’t supported in the Readme (so that folks don’t bother installing it if they can’t use it)
ask what form of authentication the person uses before requesting the email and indicate that SSO isn’t supported if they choose it, or if it’s possible to determine that SSO is what’s configured when you query the server, just indicate that that’s the problem in the error message.

Please provide following details

JiraCLI Version:

(Version="1.1.0", GitCommit="3b93e147eac468ad985bdece27469153b4bb2814", CommitDate="2022-08-14T08:10:40+00:00", GoVersion="go1.18.3", Compiler="gc", Platform="darwin/amd64")

Are you using Jira cloud or on-premise jira server? Also mention the version for on-premise installation.
```
Jira cloud
```
What operating system are you using? Also mention version.
```
macOS Monterey 12.6
```
What terminal are you using? Also mention version.
```
iterm2 build 3.5.0beta7
```

To Reproduce

Steps to reproduce the behavior:

have a jira cloud account that uses SSO
run jira init and give it a valid email address
See error

Expected behavior I’d expect it to either work, or to provide me with an indication than SSO isn’t supported.

About this issue

Original URL
State: open
Created 2 years ago
Reactions: 10
Comments: 16 (2 by maintainers)

Most upvoted comments

FWIW, I have a work JIRA instance with SSO (via Google Auth). These steps worked for me.

Generate API token using https://id.atlassian.com/manage-profile/security/api-tokens
Add export JIRA_API_TOKEN=<GENERATED_TOKEN> in your .bashrc file.
Do NOT add a JIRA_AUTH_TYPE setting, it did not work for me when this was set to bearer

+17

spprashant on Oct 12, 2022

Hi @masukomi, I am also using jira-cli with SSO in my company but its a self-hosted Jira Server. I think it should work if are able to generate Personal Access Token (PAT).

Basically what I am doing is:

Set JIRA_AUTH_TYPE to bearer
Generate PAT (Click on your pic in Jira -> Profile -> Personal Access Tokens)
Set JIRA_API_TOKEN to the generated personal access token
Run jira init and use your email or username.

ankitpokhrel on Sep 26, 2022

I am using Jira Cloud with Atlassian’s SSO and I just need to set this:

export JIRA_API_TOKEN=<the token>

Setting username and password in .netrc (without manually setting the token) leads to a ‘401 Unauthorized’ because jira init --debug tries to authenticate using Basic Auth, which I guess is not supported once you move to Atlassian’s SSO. When explicitly passing forcing Bearer Token auth with JIRA_AUTH_TYPE=bearer jira init --debug I see that the value of the bearer token is not sent along.

It’d be nice if we could set the JIRA_AUTH_TOKEN in the .config/.jira/.config.yml so I don’t have to have such a sensitive token in my env vars at all time. For now I have just created the following alias in my .bashrc/zsh config:

jira() {
  # launch in a (subshell) so the api token doesn't linger in env after running
  (source ~/.config/.jira/api_token.env && command jira $@)
}

the api_token.env file contains:

export JIRA_API_TOKEN=th3t0k3n

peterrus on Oct 31, 2023

I ran into this today as well. @spprashant documented the workaround that unblocks me (don’t set JIRA_AUTH_TYPE)

comjf on Nov 21, 2022

I also can’t get this to work with SSO (Azure) with any combination I’ve tried:

I’ve tried exporting the env vars
I’ve tried using an API token
I’ve tried using a password
I’ve tried using the keychain password manager as described here
I’ve tried using the .netrc file

On macOS, installed via Homebrew. I see the following error:

✗ Received unexpected response '401 401' from jira. Please try again.

sseneca on Oct 24, 2022

My .zshrc Is the position inside the file relevant?
JIRA_AUTH_TYPE=bearer
JIRA_API_TOKEN=<imagine my token here>

@Akorian You need to export them too, export JIRA_AUTH_TYPE=bearer, to make them available to other programs.

illfygli on Oct 11, 2022