Summary

When configuring the outgoing OAuth 2.0 connection, it is expected that once we do select the Service Provider, it does populate the Redirect URL field.

Then this URI is copied and used to register in your external application, to obtain the client ID and client secret required to complete the configuration

Diagnosis

• Go to Jira Admin ⚙ > System -> Logging and Profiling -> HTTP Access logging [Enable] and HTTP dump log [Enable];
• Enable the har file; 
• Go to the page Jira Admin ⚙ > System > Oauth 2.0 (in Jira 8.10.x-8.21.x) or Jira Admin ⚙ > System > Application links (in Jira 8.22.x+), click on the Edit button next to the Oauth 2.0 integration;
• Select the Service Provider, for instance, Microsoft;
• When selecting the Service Provider, the browser will make a request to:

https://<jira-base-url>/rest/oauth2-client/latest/config/get-redirect-uri/?authorizationEndpoint=https://login.microsoftonline.com/common/oauth2/v2.0/authorize

• We do expect that this request gets a response of 200 (OK) and the generated Redirect URL:

 o1010x267x1 xxxxxxxx [28/Oct/2022:16:50:20 +0000] "GET https:// <jira-base-url>/rest/oauth2-client/latest/config/get-redirect-uri/ HTTP/1.1" 200 165 0.0070 "https://<jira-base-url>/plugins/servlet/oauth2/client" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" "1fzxgzq"
        ___ Request _____________________________________________________
        Request URL Parameters : 
            authorizationEndpoint=https://login.microsoftonline.com/common/oauth2/v2.0/authorize
        Request HTTP Headers : 

• However, reviewing the request on the har file, we could observe that the request was issued alright from the browser:

https://<jira-base-url>/rest/oauth2-client/latest/config/get-redirect-uri/?authorizationEndpoint=https://login.microsoftonline.com/common/oauth2/v2.0/authorize

• On checking the HTTP dump log file, we can observe that the request arrived in Jira without the Request Parameters "/rest/oauth2-client/latest/config/get-redirect-uri/" and with an incorrect URL:

o894x8241x1 xxxxxxxx [26/Oct/2022:14:54:37 -0600] "GET https://<jira-base-url>//login.microsoftonline.com/common/oauth2/v2.0/authorize HTTP/1.0" 404 0 0.0070 "https://<jira-base-url>/plugins/servlet/oauth2/client" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" "rqvhc4"
        ___ Request _____________________________________________________
        Request HTTP Headers : 

• Notice how the "/rest/oauth2-client/latest/config/get-redirect-uri/" section is missing and there are no Request Parameters. They should contain "authorizationEndpoint=https://login.microsoftonline.com/common/oauth2/v2.0/authorize".
• Instead, what Jira did receive was a URL of "https://<jira-base-url>//login.microsoftonline.com..." which is correctly returning an HTTP Error 404 as that URL doesn't exist in Jira.

Just after the test, do not forget to go back to Jira Admin ⚙ > System -> Logging and Profiling -> HTTP Access logging [Disable] and HTTP dump log [Disable] as this debug is very verbose and might impact the Performance. 

Cause

The reverse proxy was rewriting the URL to Jira in an incorrect way and causing HTTP Error 404.

In this sample, using Nginx, the below lines cause the OAuth 2.0 redirect to fail.

Previously, these lines were added on the Nginx configuration following the workaround from the Confluence Knowledge Page Pages with special characters are not accessible via reverse proxy:

if ($request_uri ~* "/(/.*)") {
    proxy_pass http://localhost:8080/$1; break;
}

Solution

Option 1:
Review the Reverse Proxy configuration that could be incorrectly rewriting the URL.

Option 2:
If unable to troubleshoot or fix the reverse proxy configuration, you may configure a secondary connector in Jira's server.xml that bypasses the proxy as described in Bypass a proxy or SSL to test network connectivity for Jira server.