DVCS integration with GitHub breaks every 8 hours with Bad credentials 401 errors
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
You might find that Jira DVCS Integration with github.com breaks very frequently (every 8 hours) with "Bad credentials (401)" errors.
In the
atlassian-jira.log, you'd see errors similar to these:
1
2
2023-04-06 22:10:26,299+0000 Caesium-1-2 WARN ServiceRunner [c.a.j.p.d.spi.github.GithubClientWithTimeout] Failed to execute request [GET /users/ORG1234] response code: 401, errors:
Bad credentials (401)Enabling DVCS debug logs by adding
com.atlassian.jira.plugins.dvcswould also not give away much further details about the error:
1
2
2023-04-06 22:10:26,299+0000 Caesium-1-2 DEBUG ServiceRunner [c.a.j.p.d.spi.github.GithubCommunicator] Could not find user/organization ORG1234
org.eclipse.egit.github.core.client.RequestException: Bad credentials (401)Environment
Jira DVCS Integration with github.com
Diagnosis
First, we need to validate if the DVCS integration was established with oAuth token (gho_) or User-to-server token (ghu_). In order to do this, check the DB with the following SQL query for the affected Org - in the example above it's ORG1234:
1
SELECT * FROM "AO_E8B6CC_ORGANIZATION_MAPPING" om WHERE om."NAME" = 'ORG1234';In the output of this query, look for the ACCESS_TOKEN column and confirm if the token starts with ghu_. This means this github Org/Account was not added with an OAuth token - rather a user-to-server token.
As per Github Behind GitHub’s new authentication token formats
gho for OAuth access tokens
ghu for GitHub user-to-server tokens
Cause
If you configured the integration using Github Apps instead of registering an oAuth app github assigns a User-to-server token (ghu_).
As per GitHub documentation (Refreshing user access tokens - GitHub Docs ):
If your app uses user access tokens that expire, then you will receive a refresh token when you generate a user access token. The user access token expires after eight hours, and the refresh token expires after six months.
This 8 hour expiration of token feature is true for both oAuth (gho_) as well as user-to-server (ghu_) tokens. At every 8 hours, DVCS connector plugin is supposed to send a Auth refresh request with the client ID and Secret in its payload to github.com which would then respond with a new Access token and the token will be saved in the database.
However, the DVCS connector plugin currently doesn't support the refresh token mechanism for non-Oauth tokens such as user-to-server (ghu_) tokens and this is why after 8 hours the integration fails with "Bad credentials (401)".
If this feature is important to you, please vote/comment/watch this public ticket: JSWSERVER-21676 - Introduce auth token refresh for github user tokens (ghu_) for DVCS integration
Solution
Please follow our official documentation where we mention oAuth tokens as a Pre-requisite: Linking GitHub accounts
Otherwise, you'd have to manually refresh the auth tokens by Account Tools >> Reset OAuth Settings and can use the same Client ID and Secret as you did earlier.
Was this helpful?