How to resolve API Token Validation Issues for Configuration Manager for Jira (CMJ)
Problem
We encounter API token validation errors when authorizing Configuration Manager for Jira (CMJ). In this example, the issue appears in a sandbox environment. The error message displayed is:
"Provided token is invalid. You need a valid token for authorization."
This issue persists despite using correct API tokens and valid credentials, primarily when the IP Allowed List feature is enabled.
Symptoms
API token validation fails with the message: "Provided token is invalid".
REST API calls to validate tokens return a
400 - Bad Request
status.Error logs indicate: "The IP address has been rejected because it is not on the allowed list."
Logs
The error logs from the Jira instance indicate the following issue:
The IP address has been rejected because it is not on the allowedlist. See your admin for more information.
This confirms that the CMJ IP address is being blocked by the IP Allowed List.
Screenshots:
API Token Authorization Screen:
(Note: The screenshot shows where users enter API tokens.)
Database Query
If you suspect any issues related to database inconsistencies, use the following query to check token entries in the database:
SELECT * FROM api_tokens WHERE token_owner = 'abc@domain.com';
This query will return details of API tokens associated with the user, including their status.
Root Cause Analysis
The root cause of the issue is the IP Allowed List feature, which restricts access to certain IP addresses. The Configuration Manager for Jira app (CMJ) uses REST calls from specific public IP addresses to validate the token. When the IP Allowed List is enabled in the sandbox environment, CMJ's IP addresses are not whitelisted, leading to blocked requests and token validation failure.
Validation:
Verify Token Validity:
Ensure that the API token is correct by performing a GET request to validate the token.
Example CURL command:
If the token is valid, the response will include user information, such as the account ID and display name.
Temporarily Disable IP Allowed List:
Disable the IP Allowed List for the sandbox environment.
Reattempt the API token authorization. If the authorization succeeds, the issue is related to IP blocking.
Resolution
To resolve the issue, we need to whitelist the public IP addresses used by the CMJ app in their IP Allowed List settings for the Jira sandbox environment.
Steps:
Whitelist CMJ IP Addresses:
Add the following IP addresses to the IP Allowed List to ensure CMJ can validate tokens:
23.23.215.132/32
52.205.121.251/32
For more information on how to configure the IP Allowed List, refer to Atlassian's documentation: Atlassian - IP Allowed List.
Test Authorization Again:
After whitelisting the IP addresses, attempt the API token authorization again via the following URL:
Conclusion
The issue stems from the IP Allowed List settings in the Jira sandbox environment, which blocks the Configuration Manager for Jira (CMJ) app from validating API tokens. By whitelisting the required IP addresses, we can resolve the problem and successfully authorize API tokens.