OAuth error oauth_problem=signature_invalid
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
When creating an application link, or using functionality that uses an application link, the applications aren't able to authenticate to each other.
The following appears in the application log:
oauth_problem=signature_invalid
Diagnosis
Environment
- Two applications are connected together using Application Links
- The authentication method used is OAuth
Cause
The Application URL of the link does not match the URL that the remote application is reporting. This can be caused by:
- The Base URL on the remote application is set to something other than the Application URL defined on the link
- A reverse proxy or port forwarding is configured, and the "Host" header is reporting the wrong host name or port
- A CDN or firewall might be removing GET parameters from the requests
- If you are using NGINX as the reverse proxy and using the
proxy_cache
directive - The useBodyEncodingForURI tomcat parameter in the
<confluence-install>/conf/server.xml
is set to true
In this scenario, the affected applications will usually display other problems as well.
Resolution
Base URL
- Ensure the Base URL is correct for each application.
Application URL
The Application URL should match the Base URL of the other application unless you're bypassing a reverse proxy.
If the Application URL does not match the Base URL (and you're not bypassing a reverse proxy) then delete and recreate the Application Link.
Reverse Proxy
If using a reverse proxy or port forwarding, ensure the application is correctly configured for use with a reverse proxy.
GET parameters removed
- Verify if CDN or firewall rules might be removing parameters from the requests. The request parameters should not be altered.
NGINX Reverse Proxy with proxy_cache
directive
NGINX caching rewrites HEAD requests to GET requests by default which will interfere with application link communication between Atlassian products.
- Workaround 1: Do not use the
proxy_cache
directive in the Nginx configuration Workaround 2: If the
proxy_cache
directive is required, then add this to the NGINX configuration which will allow caching to remain enabled without breaking OAuth communication:proxy_cache_convert_head off; proxy_cache_key $scheme$request_method$proxy_host$request_uri;
Tomcat
Look for the following part in <confluence-install>/conf/server.xml.
<Connector port="8090" connectionTimeout="20000" redirectPort="8443" maxThreads="48" minSpareThreads="10" enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol" useBodyEncodingForURI="true"/>
If the useBodyEncodingForURI is in the server.xml, remove the parameter or set it to false
<Connector port="8090" connectionTimeout="20000" redirectPort="8443" maxThreads="48" minSpareThreads="10" enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol" useBodyEncodingForURI="false"/>