OKTA integration with ZFJ - ZAPI Returns Blank response

October 20, 2016

Problem

ZAPI calls return empty/blank response when Zephyr for JIRA integrated with OKTA SSO.

Cause

The current OKTA JIra implementation filters out the calls from Jira rest api allowing them to bypass additional checks and looks up user from JIRA. whereas it goes through another path for ZAPI and stops its from fetching the response.

Fix

ZAPI calls works fine when they are fired from the browser once the user log in to JIRA. As the browser saves the session, calls are through. 

If the calls are made from an http client or an external script the workaround is to pass the JSessionID along with the ZAPI calls.  

Steps to generate and use the session ID in ZAPI calls.

  1. Create a new session using the JIRA REST API

    We need to get a session cookie from JIRA, so the first thing we need to do is create a new session using the session resource in the JIRA REST API.
    Tip: You can also use the session resource to get information about the currently authenticated user in the current session (GET), or log the current user out of JIRA (DELETE).

    To do this, just POST the desired user credentials (as JSON) to the session resource:

    • Example resource: http://jira.example.com:8080/jira/rest/auth/1/session
    • Example credentials: { "username": "myuser", "assword": "mypassword" }

    This will create a new session and return the requested session information, which will look similar to the following:

    {
      "session":
        {
          "name":"JSESSIONID",
          "value":"6E3487971234567896704A9EB4AE501F"
        },
      "loginInfo":
        {
          "failedLoginCount":1,
          "loginCount":2,
          "lastFailedLoginTime":"2016-10-20T09:43:28.839+0000",
          "previousLoginTime":"2016-10-04T07:54:59.824+0000"
        }
    }

  2. Use the session cookie in a request

Now that you've created a session, it's just a matter of setting the cookie in all subsequent requests to the server.

  1. Store the session object on the client. The way that you do this will depend on how your client is implemented.
  2. When you want to make a request, take cookie name and value from the session and use them to set the 'cookie' field in the header of your request. You can see an example of this below:
    headers: {cookie: JSESSIONID=6E3487971234567896704A9EB4AE501F}

Example

Using the Sessions Id generated in step 1 in ZAPI API.

Request :

>curl -X GET -H "Cookie: JSESSIONID=6E3487971234567896704A9EB4AE501F" http://jira.example.com:8080/rest/zapi/latest/util/versionBoard-list?projectId=10000

Response :

{"type":"software","hasAccessToSoftware":"true","unreleasedVersions":[{"value":"-1","archived":false,"label":"Unscheduled"},{"value":"10000","archived":false,"label":"Version1.0"}],"releasedVersions":[]}

Products:

Tags: