IMAP setup fails with AUTHENTICATE Failed error in logs in Jira server when using OAuth
Problem
When trying to set up an IMAP service for JIRA applications notifications, you get an error AUTHENTICATE Failed
. After enabling mail debugging, the following appears in the logs:
[Alerts Incident] Caesium-1-3 anonymous Incident ITSM * OK The Microsoft Exchange IMAP4 service is ready. [QWxhZGRpbjpvcGVuIHNlc2FtZQ==]
[Alerts Incident] Caesium-1-3 anonymous Incident ITSM IUR0 CAPABILITY
[Alerts Incident] Caesium-1-3 anonymous Incident ITSM * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
[Alerts Incident] Caesium-1-3 anonymous Incident ITSM IUR0 OK CAPABILITY completed.
IMAPS: AUTH: PLAIN
IMAPS: AUTH: XOAUTH2
IMAPS: protocolConnect login, host=outlook.office365.com, user=user_name@atl.onmicrosoft.com, password=<non-null>
IMAPS: AUTHENTICATE PLAIN command trace suppressed
IMAPS: AUTHENTICATE PLAIN command result: IUR1 NO AUTHENTICATE failed.
IMAPS: trying to connect to host "outlook.office365.com", port 993, isSSL true
[Alerts Incident] Caesium-1-3 anonymous Incident ITSM * OK The Microsoft Exchange IMAP4 service is ready. [QWxhZGRpbjpvcGVuIHNlc2FtZQ==]
[Alerts Incident] Caesium-1-3 anonymous Incident ITSM IUS0 CAPABILITY
[Alerts Incident] Caesium-1-3 anonymous Incident ITSM * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
[Alerts Incident] Caesium-1-3 anonymous Incident ITSM IUS0 OK CAPABILITY completed.
IMAPS: AUTH: PLAIN
IMAPS: AUTH: XOAUTH2
IMAPS: protocolConnect login, host=outlook.office365.com, user=user_name@atl.onmicrosoft.com, password=<non-null>
IMAPS: AUTHENTICATE PLAIN command trace suppressed
IMAPS: AUTHENTICATE PLAIN command result: IUS1 NO AUTHENTICATE failed.
The following warning will also be in the atlassian-jira-incoming-mail.log:
WARN [Alerts Incident] Caesium-1-3 anonymous Incident ITSM Incident ITSM [10900]: javax.mail.AuthenticationFailedException: AUTHENTICATE failed. while connecting to host "outlook.office365.com" as user "user_name@atl.onmicrosoft.com" via protocol "SECURE_IMAP": javax.mail.AuthenticationFailedException: AUTHENTICATE failed.
javax.mail.AuthenticationFailedException: AUTHENTICATE failed.
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:708) [jakarta.mail-1.6.5.jar:1.6.5]
at javax.mail.Service.connect(Service.java:364) [jakarta.mail-1.6.5.jar:1.6.5]
at javax.mail.Service.connect(Service.java:222) [jakarta.mail-1.6.5.jar:1.6.5]
at javax.mail.Service.connect(Service.java:243) [jakarta.mail-1.6.5.jar:1.6.5]
at com.atlassian.mail.server.InternalAuthenticationContext.connectService(InternalAuthenticationContext.java:58) [atlassian-mail-5.0.3.jar:?]
at com.atlassian.mail.server.AbstractMailServer.smartConnect(AbstractMailServer.java:156) [atlassian-mail-5.0.3.jar:?]
at com.atlassian.jira.service.services.mail.MailServicesHelper.lambda$connectUsing$2(MailServicesHelper.java:81) [jira-api-8.13.3.jar:?]
at java.util.Optional.map(Optional.java:215) [?:1.8.0_181]
at com.atlassian.jira.service.services.mail.MailServicesHelper.handleAuthAwareMailServer(MailServicesHelper.java:52) [jira-api-8.13.3.jar:?]
at com.atlassian.jira.service.services.mail.MailServicesHelper.getConnectedStore(MailServicesHelper.java:46) [jira-api-8.13.3.jar:?]
at com.atlassian.jira.service.services.mail.MailFetcherService.getConnectedStore(MailFetcherService.java:397) [jira-api-8.13.3.jar:?]
at com.atlassian.jira.service.services.mail.MailFetcherService$MessageProviderImpl.getAndProcessMail(MailFetcherService.java:166) [jira-api-8.13.3.jar:?]
at com.atlassian.jira.service.services.mail.MailFetcherService.processMessages(MailFetcherService.java:361) [jira-api-8.13.3.jar:?]
at com.atlassian.jira.service.services.mail.MailFetcherService.runImpl(MailFetcherService.java:353) [jira-api-8.13.3.jar:?]
at com.atlassian.jira.service.services.file.AbstractMessageHandlingService.run(AbstractMessageHandlingService.java:229) [jira-api-8.13.3.jar:?]
at com.atlassian.jira.service.JiraServiceContainerImpl.run(JiraServiceContainerImpl.java:68) [classes/:?]
at com.atlassian.jira.service.ServiceRunner.runService(ServiceRunner.java:62) [classes/:?]
at com.atlassian.jira.service.ServiceRunner.runServiceId(ServiceRunner.java:44) [classes/:?]
at com.atlassian.jira.service.ServiceRunner.runJob(ServiceRunner.java:32) [classes/:?]
at com.atlassian.scheduler.core.JobLauncher.runJob(JobLauncher.java:134) [atlassian-scheduler-core-3.0.0.jar:?]
at com.atlassian.scheduler.core.JobLauncher.launchAndBuildResponse(JobLauncher.java:106) [atlassian-scheduler-core-3.0.0.jar:?]
at com.atlassian.scheduler.core.JobLauncher.launch(JobLauncher.java:90) [atlassian-scheduler-core-3.0.0.jar:?]
at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.launchJob(CaesiumSchedulerService.java:435) [atlassian-scheduler-caesium-3.0.2.jar:?]
at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeClusteredJob(CaesiumSchedulerService.java:430) [atlassian-scheduler-caesium-3.0.2.jar:?]
at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeClusteredJobWithRecoveryGuard(CaesiumSchedulerService.java:454) [atlassian-scheduler-caesium-3.0.2.jar:?]
at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeQueuedJob(CaesiumSchedulerService.java:382) [atlassian-scheduler-caesium-3.0.2.jar:?]
at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.executeJob(SchedulerQueueWorker.java:66) [atlassian-scheduler-caesium-3.0.2.jar:?]
at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.executeNextJob(SchedulerQueueWorker.java:60) [atlassian-scheduler-caesium-3.0.2.jar:?]
at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.run(SchedulerQueueWorker.java:35) [atlassian-scheduler-caesium-3.0.2.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]
Cause
Using the wrong Scopes can cause this error, even when the authentication attempt looks successful in the related Google or Microsoft logs.
Resolution
Use the Scopes listed in Integrating with OAuth 2.0.
For Google, we recommend using the https://mail.google.com/ scope for IMAP and POP3.
For Microsoft, we recommend https://outlook.office.com/IMAP.AccessAsUser.All or https://outlook.office.com/POP.AccessAsUser.All, and offline_access.
Last modified on Feb 4, 2023
Powered by Confluence and Scroll Viewport.