OpenID Connect (OIDC) SSO fails with "Error when fetching data from userinfo endpoint"
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
When trying to log into the application, we are faced with an error like this one below after being redirected from the identity provider. It is shown to the user and in the logs.
2021-11-19 15:56:34,780 http-nio-8080-exec-1 ERROR acb123 123x12345x1 acb123 XX.XX.X.X /plugins/servlet/oidc/callback [c.a.p.a.i.web.filter.ErrorHandlingFilter] [UUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] Error when fetching data from userinfo endpoint. Error: {}
com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Error when fetching data from userinfo endpoint. Error: {}
at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.toException(OidcConsumerServlet.java:270)
at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getUserInfoResponse(OidcConsumerServlet.java:261)
at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getUsernameFromUserInfoEndpoint(OidcConsumerServlet.java:237)
at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getUsernameFromCustomClaim(OidcConsumerServlet.java:226Diagnosis
To troubleshoot this:
- Enable the debug package com.atlassian.plugins.authentication
- Reproduce the issue
The logs should have additional messages now:
2021-11-19 15:56:34,740 http-nio-8080-exec-1 DEBUG acb123 123x12345x1 acb123 XX.XX.X.X /plugins/servlet/oidc/callback [c.a.p.a.i.web.oidc.OidcConsumerServlet] Looking for a username in ID token by checking custom claim [myclaim] 2021-11-19 15:56:34,740 http-nio-8080-exec-1 DEBUG acb123 123x12345x1 acb123 XX.XX.X.X /plugins/servlet/oidc/callback [c.a.p.a.i.web.oidc.OidcConsumerServlet] Custom claim with a username in ID token not found. Request to the userinfo endpoint will be sent. 2021-11-19 15:56:34,780 http-nio-8080-exec-1 ERROR acb123 123x12345x1 acb123 XX.XX.X.X /plugins/servlet/oidc/callback [c.a.p.a.i.web.filter.ErrorHandlingFilter] [UUID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] Error when fetching data from userinfo endpoint. Error: {} com.atlassian.plugins.authentication.impl.web.usercontext.AuthenticationFailedException: Error when fetching data from userinfo endpoint. Error: {} at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.toException(OidcConsumerServlet.java:270) at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getUserInfoResponse(OidcConsumerServlet.java:261) at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getUsernameFromUserInfoEndpoint(OidcConsumerServlet.java:237) at com.atlassian.plugins.authentication.impl.web.oidc.OidcConsumerServlet.getUsernameFromCustomClaim(OidcConsumerServlet.java:226
Cause
The messages show Jira is looking for a claim myclaim (in this example), but couldn't find a user with the data from that claim (which is basically a field from the authentication response).
Solution
Configure the username mapping field in the SSO configuration to use the claim that matches the username in Jira. If in doubt, engage the Identity provider team.