Are you having issues connecting your Jira instance with the app? Most likely, your network is preventing you from connecting the Workflow Steps for Jira app to your Jira instance. But we can help fix that!
If your Jira Server instance doesn't have a firewall or is open to the public, you can ignore this topic. All of the advice and recommendations discussed on this page relate to issues surrounding secure instances.
Workflow Steps for Jira begins the configuration process by pinging the [URL_YOU_ENTERED]/plugins/servlet/oauth/request-token in Step 1 of the Configure New Instance modal to confirm that the URL is valid and that the app can successfully retrieve a request token. If you receive error messages during this process, here are a few common explanations:
- Your Jira instance requires individuals (incoming connections) to authenticate via an SSO portal before access
- Jira is behind a proxy that redirects and validates network traffic, causing timeouts
- You have multiple DC nodes with variable settings, which can cause some calls to the application to fail while others are unaffected, depending on which node handles the request
Listed below are notes on these common issues, including steps you can take to resolve them.
Allowlist the IP address
First things first.
Allowlist the Workflow Steps for Jira static IP address so it can pass through your firewall and establish connections with Jira.
The IP address for the Workflow Steps for Jira app is 126.96.36.199.
You only need to permit incoming connections from the app.
If you suspect an issue related to your network configuration, take a look at Atlassian's tips, paying specific attention to the information in the Workaround section. Chances are that you haven't allowed the URLs to bypass SSO authentication.
Per Atlassian's advice, ensure that you've allowlisted each of the following URLs:
Allowlisting these URLS permisses Workflow Steps for Jira, calling from its static IP address, to bypass SSO authentication to talk to and authenticate directly with the Jira instance via OAuth. Some of the URLs allow for authentication to happen over the OAuth standard and are only for establishing and negotiating valid authentication tokens. The other endpoints, such as
/rest (which the app uses to get, store, and update information in Jira), are for API access to Jira. All of these endpoints are secured by Jira and will block all requests that don't contain a valid OAuth authentication token.
You cannot use the app without allowing these URLs to bypass your SSO authentication.
This requirement does not increase the vulnerability of your Jira instance's security thanks to the app's use of OAuth 1.0, which assumes the security responsibility to only allow our app to receive and pass only the information it needs to work. Your Jira instance will not be open and vulnerable to other apps or programs.
Do you have a proxy setup for your Jira instance? Do you have multiple nodes on your Jira DC instance?
If you answered yes to either of these questions, some necessary URLs may be taking too long to access given that Slack has a limit for request/response interactions. If network rerouting (via proxies, nodes, etc.) takes more time than Slack allows, you may experience that the app fails to call dynamic assets like your Jira project list.
To avoid this issue, Workflow Steps for Jira needs unhindered access to the aforementioned endpoints during the application-link setup and OAuth process.
App-link issues: Advice from Atlassian
The Workflow Steps for Jira application authenticates Jira Server/DC users via OAuth 1.0.
If you experience issues setting up an app link, see Atlassian's application-link troubleshooting guide for more information.