Troubleshooting
Listed below are some common problems and possible solutions. If your problem persists please feel free to contact us via the Atlassian Marketplace support for the Jira, Confluence or Bitbucket plugin.
Slow page loads or stuck on a screen after login
Slow page load or being stuck on certain screens after login can indicate an authentication loop. This occurs when session checks are enabled (option Check Session IFrame URL in the Advanced Settings Tab) and Third Party Cookies are disabled. Third Party Cookies are required for the session checks to work properly.
The preferred way to fix this problem is by enabled Third Party Cookies completely or by adding an exception for your OpenID Connect provider. Alternatively you can disable the session checks. Please not that this disables the Single-Sign-Out, so when the users log out in another application using the OpenID Connect provider this logout won't be noticed by the Jira/Confluence/Bitbucket application.
Provider discovery fails
If the provider discovery fails check that you entered the correct Issuer URL. If the URL is correct also make sure that the provider is reachable from the Jira/Confluence/Bitbucket host. You can do this by requesting the URL <issuer>/.well-known/openid-configuration
where <issuer>
is your Issuer URL (which is also used for provider discovery).
If all above works the problem might be caused by missing certificates for https
connections. Make sure that all necessary SSL certificates for your provider are installed and available to the JVM running Jira/Confluence/Bitbucket.
Access token is non-JWT, roles not available or No roles assigned to the user on login
The plugin can be configured (via the Require Group Memberships option) to require the groups for the user logging in given as roles in the access token when creating a new user (option Create User on Login). The error indicates that either the access token is not an Keycloak JWT access token or that the user hasn't been assigned any roles. Currently only the Keycloak JWT access token format is supported. See User Creation & Group Management on how to configure Keycloak to use these features.
Token signature invalid on login
This error indicates that the validation of either the ID or the access token failed. While this error can be caused by an attempt to log in to the application without authorization the error usually indicates a problem with the plugin or server configuration:
The validation will fail if there is a connection problem between the application host and the OpenID Connect provider. Check the connect and make sure that there are no firewall rules blocking the HTTP traffic required to fetch the tokens and the JWK set from the provider required for validation.
A misconfigured Issuer URL might also cause problems. Make sure that the Issuer URL set in the configuration UI matches the URL set by the provider in the ID token. This usually can be achieved by using the recommended Provider Discovery.
Also check the time set on the machines hosting the application and the OpenID Connect provider. Out of sync times might cause the plugin to regard the received tokens as expired.
Additional Authentication required for Administrators
Jira/Confluence by default require an additional security check before performing administrative tasks. This mechanism is called WebSudo and prompts for the user password before entering the administration. Currently it is not possible to authenticate via SSO on this dialog. This means that when WebSudo is enabled, you can only perform administrative tasks with administrator accounts that have a valid local password (eg. have not been created by the plugin on first login or later given a local password).
WebSudo can be disabled for users logged in via OpenID Connect with the Disable WebSudo configuration option if you wish to enable administration of Jira/Confluence without an additional password prompt. Please note that this might pose a security threat as it removes additional authentication before performing administrative tasks.