Opening a PDF file with the Atlassian Companion app results in a "Failure during JWT authentication" error

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When opening a document with the Companion App, it fails with the message:

Unexpected response status code 401 from <your_confluence_server>

(Auto-migrated image: description temporarily unavailable)

Diagnosis

Check if Confluence is running behind an Apache reverse proxy. Also, check the atlassian-confluence.log for a message like the following:

2020-07-XX 11:XX:44,512 WARN [https-jsse-nio2-XXX-exec-2] [jwt.internal.sal.DefaultAuthenticationResultHandler] createAndSendFailure Failure during JWT authentication
 -- url: /conf/download/attachments/XXXXXX/DOCUMENT.pdf | traceId: XXXXXXXXXX
com.atlassian.jwt.exception.JwtInvalidClaimException: Expecting claim 'qsh' to have value 'XXXXXXXXXXXXXXXXXXX' but instead it has the value 'XXXXXXXXXXXXXXXXXXX'
	at com.atlassian.jwt.core.reader.JwtClaimEqualityVerifier.verify(JwtClaimEqualityVerifier.java:29)
	at com.atlassian.jwt.core.reader.NimbusJwtReader.read(NimbusJwtReader.java:151)
	at com.atlassian.jwt.core.reader.NimbusJwtReader.readAndVerify(NimbusJwtReader.java:57)
	at com.atlassian.jwt.internal.DefaultJwtService.verifyJwt(DefaultJwtService.java:49)
	at com.atlassian.jwt.internal.sal.JwtAuthenticatorImpl.verifyJwt(JwtAuthenticatorImpl.java:62)
	at com.atlassian.jwt.core.http.auth.AbstractJwtAuthenticator.verifyJwt(AbstractJwtAuthenticator.jav

Cause

The Apache reverse proxy is re-encoding the calls to the backend, causing the QSH key to not match. This, in turn, results in an HTTP 401 (not authorized error) response.

Solution

Add a nocanon parameter to the ProxyPass attribute in the Virtual Host setting of Apache:

<VirtualHost *:80>
        ServerName confluence.example.com                                                                                 
                                                                                                 
        ProxyPreserveHost On                                                                                                             
        ProxyPass / http://localhost:8090/ nocanon                                                                                             
        ProxyPassReverse / http://localhost:8090/                                                                                        
</VirtualHost>

Updated on March 21, 2025

Was this helpful?

It wasn't accurateIt wasn't clearIt wasn't relevant

Atlassian Support

Opening a PDF file with the Atlassian Companion app results in a "Failure during JWT authentication" error

Summary

Diagnosis

Cause

Solution

Still need help?