Opening a PDF file with the Atlassian Companion app results in a "Failure during JWT authentication" error

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When opening a document with the Companion App, it fails with the message:

Unexpected response status code 401 from <your_confluence_server>


Diagnosis


Check if Confluence is running behind an Apache reverse proxy.   Also check the atlassian-confluence.log for a message like the following:

2020-07-XX 11:XX:44,512 WARN [https-jsse-nio2-XXX-exec-2] [jwt.internal.sal.DefaultAuthenticationResultHandler] createAndSendFailure Failure during JWT authentication
 -- url: /conf/download/attachments/XXXXXX/DOCUMENT.pdf | traceId: XXXXXXXXXX
com.atlassian.jwt.exception.JwtInvalidClaimException: Expecting claim 'qsh' to have value 'XXXXXXXXXXXXXXXXXXX' but instead it has the value 'XXXXXXXXXXXXXXXXXXX'
	at com.atlassian.jwt.core.reader.JwtClaimEqualityVerifier.verify(JwtClaimEqualityVerifier.java:29)
	at com.atlassian.jwt.core.reader.NimbusJwtReader.read(NimbusJwtReader.java:151)
	at com.atlassian.jwt.core.reader.NimbusJwtReader.readAndVerify(NimbusJwtReader.java:57)
	at com.atlassian.jwt.internal.DefaultJwtService.verifyJwt(DefaultJwtService.java:49)
	at com.atlassian.jwt.internal.sal.JwtAuthenticatorImpl.verifyJwt(JwtAuthenticatorImpl.java:62)
	at com.atlassian.jwt.core.http.auth.AbstractJwtAuthenticator.verifyJwt(AbstractJwtAuthenticator.jav


Cause

The Apache reverse proxy is re-encoding the calls to the backend, causing the QSH key to not match.  This, in turn, results in an HTTP 401 (not authorized error) response.

Solution

Add a nocanon parameter to the ProxyPass attribute in the Virtual Host setting of Apache:

<VirtualHost *:80>
        ServerName confluence.example.com                                                                                 
                                                                                                 
        ProxyPreserveHost On                                                                                                             
        ProxyPass / http://localhost:8090/ nocanon                                                                                             
        ProxyPassReverse / http://localhost:8090/                                                                                        
</VirtualHost>

Last modified on Aug 14, 2020

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.