OpenID Connect (OIDC) SSO fails with "ID token parsing failed"
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
When trying to log into the application, we are faced with an error like this one below after being redirected from the identity provider. It is shown to the user and in the logs.
1
2
3
4
5
6
7
2021-11-19 14:15:06,421 http-nio-8080-exec-5 ERROR abc123 855x315876x1 myuser 127.0.0.1 /plugins/servlet/oidc/callback [c.a.p.a.i.web.filter.ErrorHandlingFilter] [UUID: XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] ID token parsing failed
com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: ID token parsing failed
at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getUsername(OidcConsumerServlet.java:159)
...
Caused by: com.nimbusds.jwt.proc.BadJWTException: Unexpected JWT issuer: https://myssoprovider.com/myapp/
at com.nimbusds.openid.connect.sdk.validators.IDTokenClaimsVerifier.verify(IDTokenClaimsVerifier.java:173)
...Cause
This Unexpected JWT issuer error means that the issuer returned by the OIDC process doesn't match the one configured in Jira.
Solution
Set the issuer URL to the one the IdP is sending - that is, the one that Jira is reporting as unexpected. In this example, it would be https://myssoprovider.com/myapp/
Was this helpful?