Hi all
I have gone through a few articles relating to the security improvements of our Jira Connect App
We currently have/do the following:
We have a private connect app that currently just has custom fields added
on the connect app side, we limit the installation of the connect app to only 2 tenants (based on baseUrl)
we install (and update/reinstall) by copying the URL of the app descriptor and click on the ‘Upload app’ link on the UPM page
using the secret, client id, etc, we make REST API calls to the tenant(s)
on updates, we re-install the app using the URL of the app descriptor as above
One other question I have is: If we update the app descriptor the version is updated on the vender marketplace listing … BUT we have to reinstall the app by copying the URL as mentioned above. Is this the correct process? How can we better manage this as this step seems a little manual right now? I did see the comment “There is no plans for scheduling a periodical rotation” but I wonder …
Basically when should we look out for the install payload, what specifically is advised to be stored from the payload on our and and what needs to be updated?
Hi,
Can you elaborate bit more around this? limit the installation of the connect app to only 2 tenants (based on baseUrl)
We recommend apps to identify installations by the clientKey, not by the baseUrl.
If there is an existing installation record for a site (baseUrl) under a different clientKey , your app should associate the site with the new clientKey and the sharedSecret.
Also, if you publish a new app version to your marketplace, it will be automatically installed to the tenant over the next 24 hours unless there was a scope change in the app descriptor.
(Please note that this automatic upgrade will only be triggered for the apps installed from the marketplace, not for the apps installed manually by using the app descriptor via developer mode)
Hi @HanjooSong
RE limit install on 2 tenants … I mean we restrict the connect app descriptor to only be used and installed on our 2 Jira clound instanced based on the baseUrl. If install elsewhere, a 4xx reponse is given.
Would you advise we store the clientKey on the app side if that is preferred? When would the clientKey change if at all? Meaning it will only be installed and reinstalled one 2 instances ever, how would the clientKey and sharedSecret look?
We have had updates to the connect app decriptor JSON and it did not auto install on the 2 instances. Might be because it is private? Think you just answered that
Hi,
WE have recently updated lifecycle section on DAC describing when clientKey and sharedSecret can be changed.
We do recommend apps to use clientKey as an identifier instead of the site baseUrl. However, I assume you own those 2 instances as well and if there isn’t any plan for importing/exporting site data in the future, there won’t be any issues with using baseUrl as the identifier instead. I will leave this up to you.
And yes, the automatic app versioning won’t be triggered for a private app.