Accessing the Confluence consent page (as a part of OAuth 2.0 configuration) results in a Tomcat "HTTP Status 400 – Bad Request" error
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
After following the steps mentioned on configuring an incoming link to create a new External application (using OAuth 2.0), a part of verifying the configuration is to attempt accessing the Confluence consent screen at:
1
2
3
4
5
<Confluence-Base-URL>/plugins/servlet/oauth2/consent
?client_id=<PUT_OAUTH_2.0_CREDENTIALS_CLIENT_ID_HERE>
&redirect_uri=<PUT_OAUTH_2.0_REDIRECT_URL_HERE>
&response_type=code
&scope=<PUT_ACCESS_SCOPE_HERE>1
2
3
4
5
https://ConfluenceBaseURL/plugins/servlet/oauth2/consent
?client_id=5370698f0269085badcaabf4e38c8df8
&redirect_uri=https://www.example.com
&response_type=code
&scope=READThe expectation is to see an authentication screen like "XXXX would like to access your Confluence account," with a list of the requested permissions and a request to Deny or Allow them.
However, a Tomcat HTTP Status 400 – Bad Request screen is seen instead:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<!doctype html>
<html lang="en">
<head>
<title>HTTP Status 400 – Bad Request</title>
<style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style>
</head>
<body>
<h1>HTTP Status 400 – Bad Request</h1>
<hr class="line"/>
<p>
<b>Type</b> Status Report</p>
<p>
<b>Message</b> Please ensure that your server is using HTTPS and that your application base URL is configured appropriately.</p>
<p>
<b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).</p>
<hr class="line"/>
<h3>Apache Tomcat/9.0.65</h3>
</body>
</html>Diagnosis
For OAuth 2.0, the https requirement for Confluence's base URL can be bypassed by adding the following system property:
-Datlassian.oauth2.provider.skip.base.url.https.requirement=true
To isolate the problem:
include the system property mentioned above and restart Confluence
once Confluence is up and running, access the Confluence consent screen URL on a browser tab (example URL shared in the Summary section)
If the Confluence consent screen does show up correctly, then check the TCP Connector configured for the app's web-interface access in /<confluence-install-dir>/conf/server.xml.
Cause
The Tomcat TCP Connector configured for Confluence's web-interface access is missing the secure="true" attribute.
Solution
Modify /<confluence-install-dir>/conf/server.xml and add the missing secure="true" attribute to the Connector associated with Confluence's base URL, like this example:
1
2
3
4
5
6
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https" secure="true" proxyName="<CONFLUENCE_PROXY_NAME_HERE>" proxyPort="443"
compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript"/>Was this helpful?