Not able to connect Jira Cloud and Self-Hosted Sentry

[gabrijelam]

Self-Hosted Version

24.6.0

CPU Architecture

x86_64

Docker Version

26.1.3

Docker Compose Version

2.27.0

Steps to Reproduce

Hi,

I've enabled developer mode and private listings in our Jira Cloud under Manage Apps -> Settings. This allowed the "Upload app" button to show. After providing a descriptor URL to our self-hosted Sentry at https://<SENTRY_URL>/extensions/jira/descriptor/, the following error occurred:

"The app defines features that require the READ scope, but does not request the READ scope in its descriptor."

After a bit of googling, I added "scopes":["read"] to the descriptor JSON (now served from a static file). That helped with the scope error, but another error occurred: "The app host returned HTTP response code 500 when we tried to contact it during installation. Please try again later or contact the app vendor."

On the Sentry side, the Nginx container log shows error 500, while the web container gives more details with jwt.exceptions.InvalidAudienceError: Invalid audience exception for the POST /extensions/jira/installed/ endpoint.

I am wondering if the integration is even possible? If so, what are the appropriate steps? As already reported, the Jira Cloud app provides integration only to sentry.io, and we're having issues figuring out how to get around it.

I can provide additional details on our setup and content of the descriptor URL if useful.

Expected Result

The Jira Cloud app is successfully added after providing a descriptor URL

Actual Result

Error in Jira Cloud:

Errors in Sentry Self-Hosted logs:

web-1        | 09:07:16 [ERROR] sentry.integrations.jira.webhooks.base: Unclear JIRA exception
web-1        | Traceback (most recent call last):
web-1        |   File "/usr/src/sentry/src/sentry/api/base.py", line 320, in handle_exception
web-1        |     response = super().handle_exception(exc)
web-1        |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1        |   File "/.venv/lib/python3.11/site-packages/rest_framework/views.py", line 469, in handle_exception
web-1        |     self.raise_uncaught_exception(exc)
web-1        |   File "/.venv/lib/python3.11/site-packages/rest_framework/views.py", line 480, in raise_uncaught_exception
web-1        |     raise exc
web-1        |   File "/usr/src/sentry/src/sentry/api/base.py", line 453, in dispatch
web-1        |     response = handler(request, *args, **kwargs)
web-1        |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1        |   File "/usr/src/sentry/src/sentry/integrations/jira/webhooks/installed.py", line 37, in post
web-1        |     decoded_claims = authenticate_asymmetric_jwt(token, key_id)
web-1        |                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1        |   File "/usr/src/sentry/src/sentry/integrations/utils/atlassian_connect.py", line 129, in authenticate_asymmetric_jwt
web-1        |     decoded_claims = jwt.decode(
web-1        |                      ^^^^^^^^^^^
web-1        |   File "/usr/src/sentry/src/sentry/utils/jwt.py", line 82, in decode
web-1        |     return pyjwt.decode(token, key, options=options, algorithms=algorithms, **kwargs)
web-1        |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1        |   File "/.venv/lib/python3.11/site-packages/jwt/api_jwt.py", line 129, in decode
web-1        |     decoded = self.decode_complete(jwt, key, algorithms, options, **kwargs)
web-1        |               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1        |   File "/.venv/lib/python3.11/site-packages/jwt/api_jwt.py", line 116, in decode_complete
web-1        |     self._validate_claims(payload, merged_options, **kwargs)
web-1        |   File "/.venv/lib/python3.11/site-packages/jwt/api_jwt.py", line 158, in _validate_claims
web-1        |     self._validate_aud(payload, audience)
web-1        |   File "/.venv/lib/python3.11/site-packages/jwt/api_jwt.py", line 215, in _validate_aud
web-1        |     raise InvalidAudienceError("Invalid audience")
web-1        | jwt.exceptions.InvalidAudienceError: Invalid audience
web-1        | 09:07:16 [INFO] sentry.access.api: api.access (method='POST' view='sentry.integrations.jira.webhooks.installed.JiraSentryInstalledWebhook' response=500 user_id='None' is_app='None' token_type='None' is_frontend_request='False' organization_id='None' auth_id='None' path='/extensions/jira/installed/' caller_ip='ipaddr1' user_agent='Atlassian HttpClient unknown / JIRA-1001.0.0-SNAPSHOT (100258) / Atlassian-Connect/1001.0.0-SNAPSHOT' rate_limited='False' rate_limit_category='None' request_duration_seconds=0.08283591270446777 rate_limit_type='DNE' concurrent_limit='None' concurrent_requests='None' reset_time='None' group='None' limit='None' remaining='None' token_last_characters='gyhQ')
web-1        | 09:07:16 [ERROR] django.request: Internal Server Error: /extensions/jira/installed/ (status_code=500 request=<WSGIRequest: POST '/extensions/jira/installed/'>)
nginx-1      | ipaddr1 - - [16/Jul/2024:09:07:16 +0000] "POST /extensions/jira/installed/ HTTP/1.0" 500 72 "-" "Atlassian HttpClient unknown / JIRA-1001.0.0-SNAPSHOT (100258) / Atlassian-Connect/1001.0.0-SNAPSHOT" "185.166.142.244, 157.52.119.53, ipaddr1"

Event ID

No response

[joshuarli]

I think this is likely related to a recent change: https://community.developer.atlassian.com/t/redirects-for-lifecycle-urls-do-not-work-anymore/81728

[getsantry]

Auto-routing to @getsentry/product-owners-settings-integrations for triage ⏲️

[GabeVillalobos]

Unfortunately the team is understaffed and we can’t prioritize this fix, but we’re always open to community contributions.