Accessing cloud REST api via generated JWT token

Hello,

Oh sorry I wrote it incorrectly.

I store a Jira accountId (not the jwt, I will use the JWT to validate that indeed its a valid JWT and it is originated from Jira) and the generated apiKey associated with it in our db.

After the window closes I make a request to our API with a secret accessKey (which is only available for this endpoint) and the Jira accountId and I retrieve the apiKey and set it as user property which will be used for consecutive requests to our endpoints (setting the user property will be done in the Cloud app so this should not present an issue anymore).

Also when I retrieve an existing apiKey I delete the Jira user accountId from our db. (For extra security I can hash the jiraAccountId one way in the db so its more safe).

Regards,
Robert

Hello,

I tried another method (a cleaner approach) which you suggested that was the user impersonation for getting a bearer token and access user data with it, but I get the following errors:

POST https://oauth-2-authorization-server.services.atlassian.com/oauth2/token

{
“iss”: “eyJob3N0S2V5IjoiNzRhNDYxZTYtMjdlNC0zNWFmLWExNTktMmFjNDBhMGNiNjg2IiwiYWRkb25LZXkiOiJteS1hcHAifQ==”,
“sub”: “5cdae9b3254e450fd8d21090”,
“tnt”: “https://my-integration-url.atlassian.net”,
“aud”: “https://oauth-2-authorization-server.services.atlassian.com”,
“iat”: 1623261387,
“exp”: 1623261447
}

Response:

{
“error”: “invalid_grant”,
“error_description”: “Invalid issuer: eyJob3N0S2V5IjoiNzRhNDYxZTYtMjdlNC0zNWFmLWExNTktMmFjNDBhMGNiNjg2IiwiYWRkb25LZXkiOiJteS1hcHAifQ==, Invalid subject: 5cdae9b3254e450fd8d21090”
}

Data that I use for issuer (oauthClientId) and sub (user accountId) are the data saved on Connect app /install hook, I don’t really know why it says they are invalid.

Regards,
Robert

You need the ACT_AS_USER scope to be able to generate a token, that is what @ibuchanan was referring to here Accessing cloud REST api via generated JWT token - #17 by ibuchanan

2 Likes

Hello @remie,

Are you referring to the fact that I need the ACT_AS_USER permission too for the scope? (from what I read if I omit the scope it should get all scopes that I request in from my atlassian_connect.json where I have ACT_AS_USER set as well (I tried making the request like this too without scope).

I don’t really know if it will make any difference if I generate the bearer token inside the connect app context and pass it via parameter to my window and use it for one request.

Regards,
Robert

Hello @remie @ibuchanan,

To conclude this thread I finally succeeded making an outside REST API call with the 2LO Oauth flow with a bearer token.

I was missing the urn:atlassian:connect:clientid: and urn:atlassian:connect:useraccountid: strings in the JWT :frowning:

Thank you for your assistance!

1 Like