Configuring OIDC using the Atlassian SSO for Data Center App in Jira

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Setting up an OIDC Authentication in Jira can be a difficult task and will always require some trial and error to get right. The toughest part about this is generally setting up the authentication method in Jira to ensure that the user claim is setup correctly, however, other errors can occur if the token, userinfo, and authorization endpoints are not correct. Here are a few of the most common errors we see when dealing with this Authentication Method

Additional Information about the Atlassian SSO for Data Center app can be found here: Atlassian SSO for Data Center App and OIDC information can be found here: OIDC via the Atlassian SSO for Data Center App

Environment

8.22.6 - 9.15.0 4.22.6 - 5.15.0

Diagnosis

When users have a failed login via the OIDC authentication method, they will see an error page like this in Jira and can use the GUID provided to search for the actual error in the atlassian-jira.log file

Can't log you in right now ERROR

Cause

Misconfiguration or incomplete setup of OIDC or the Atlassian SSO app can prevent successful authentication in Jira Data Center.

Solution

The following errors can be found in the atlassian-jira.log file after a failed-login attempt via OIDC in Jira.

ERROR

What it Associates to

What you should do to Resolve this Issue

ID Token Parsing Failed

There was an issue when Jira tried to connect to the Token Endpoint

Verify that the issuer URL is correct in Jira, and check the option "

Fill the data automatically from my chosen identity provider." under Additional Settings so that the token, authorization, and userinfo endpoints are automatically populated

If you cannot have these fields automatically added, then verify that the endpoints are accurate for your OIDC integration

Error when fetching authorization response. Error: {"error_description":"User is not assigned to the client application.","error":"access_denied"}

The user was able to authenticate but does not have the authorization to access Jira.

This is resolved by adding application access for the user from within your IDP. Please work with your IDP administrator to ensure that application access is correct

Couldn't find claim representing username

The username mapping in Jira is not a claim that has been released by the IDP.

This indicates that the username mapping claim is not correct and needs to be updated.

In general, we see ${preferred_username} as the most frequently used claim, but that could differ for your setup. Work with your IDP admin to verify which claims are being released and tie back to the username field in Jira.

Unknown state in response

This is a stale login attempt

The user must close their browser, then try again.

Updated on June 23, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community