Error was "nonce_used", with parameters "oauth_problem=nonce_used"
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
After upgrading JIRA 5.x to JIRA 6.x, REST requests are not reaching JIRA.
The following appears in the atlassian-jira.log
2015-05-27 14:48:39,500 http-bio-8080-exec-8 WARN anonymous user - 127.0.0.1 /rest/api/2/user[oauth.serviceprovider.internal.AuthenticatorImpl] Problem encountered authenticating OAuth client for url "http://[Server-name]:8080/rest/api/2/user", error was "nonce_used", with parameters "{oauth_problem=nonce_used}"Diagnosis
- It may be that your application is re-using parameters or sending the same OAuth request. To confirm each request is using a unique nonce value use a tool such as Fiddler or Charles for inspecting the HTTP requests being sent/received.
Cause
Incoming REST requests using OAuth are signed with a unique nonce string. The request fails as the nonce string has already been used. As per OAuth security architecture:
The term nonce means ‘number used once’ and is a unique and usually random string that is meant to uniquely identify each signed request. By having a unique identifier for each request, the Service Provider is able to prevent requests from being used more than once.
In JIRA 6.0 onwards, OAuth parameters were added to the body of an HTTP POST request. This is further explained on the JIRA Server Developer OAuth page. With every request that triggers a "POST" method using the JIRA REST API, ensure the nonce parameter request is not being reused.
Workaround
- Use Basic Authentication instead of OAuth.