Avoiding CORS issues on connection to JIRA cloud

I just watched https://www.youtube.com/watch?v=ybhmYq9QOxY&index=23&list=PLaD4FvsFdarQsi3IUT9btuRPXukhkmC43 and I have a few questions about whether a Connect app is the right solution for our project. I’m working on the front-end for a web service that needs to GET JIRA details from the Atlasssian Rest APIs, for customers who might either use JIRA Cloud or have an on-prem JIRA Server instance. The two big unknowns are how to avoid CORS issues and how to handle authentication.

On the CORS issue, for JIRA Server it looks like we can just ask customers to whitelist us, but for Cloud I can’t find a good answer on what to do. One option I’ve been looking at is writing a connect app for cloud customers to install, for our web application to connect to to get the correct CORS headers. I’m not clear if this is possible, or if the initial request to the Connect app wouldn’t have the same CORS issue. Any advice on where to start with this?

For the authentication against the REST apis, it looks like JWT is our only option against cloud if we end up writing a connect app, but we have multiple options for authenticating against JIRA server. Are there any recommendations between basic auth, basic auth with cookies, and OAuth authentication?

Hi @dpalmer,

If you are using a Connect app you should have no problems with CORS, but then you will need to use JWT as an authentication. If you use Connect you can also use Oauth2.0 impersonation to act on behalf of users: https://developer.atlassian.com/cloud/jira/platform/oauth-2-jwt-bearer-token-authorization-grant-type/

But if you only need to call the REST API’s in Jira Cloud there is also the possibility of using our Oauth 1.0a flow: https://developer.atlassian.com/cloud/jira/platform/jira-rest-api-oauth-authentication/

For Jira Server I would recommend using Oauth: https://developer.atlassian.com/server/jira/platform/oauth/

I would not recommend using basic auth in production (either Cloud or Server).

1 Like

Hi @pvandevoorde,

Thanks for your quick response. Do you have an example of a connect app you could direct me to that handles authentication and acts as a pass-through for REST API data, or something roughly similar? I’ve managed to get the OAuth authentication working in our app, but I’d really prefer to have the Oauth2.0 user-impersonation you mentioned in your reply, so that I can give our customers’ administrators more fine-grained control over what projects their users can see in our app. However, most of the Connect examples I’ve see involve adding some functionality to the JIRA UI, which is not quite what we are looking for, so I’d like to confirm what I’m envisioning is possible with Connect.

1 Like

I overlooked Responding to requests to an endpoint on https://bitbucket.org/atlassian/atlassian-connect-spring-boot - that looks like roughly what I’m looking for, in terms of adding an endpoint to my Connect app I can access from my web application.

@pvandevoorde The other issue I have, going with the Connect App, is how our web service (Cloudbees DevOptics) is going to get data from customers with a JIRA Server instance. This video seems to indicate it is possible to get a Server instance to talk to a Connect App, but the how is a little vague. Is it possible for a JIRA server instance to communicate with a Connect App, that in this case is acting as a passthrough for the REST API to return project and issue details, and using OAuth2.0 user impersonation for auth. If not, do I need to look at also implementing a similar P2 add-on for JIRA Server to do the same, and should I expect my web UI to run into CORS issues with a P2 plugin installed on a JIRA Server instance?

Thanks in advance for looking at the multiple questions; there are a lot of options to sort through here here across the two JIRA products.

@dpalmer,

I’m sorry to say this, but Connect for Server doesn’t exist, you can only use P2 apps for Server.

If you only need to call the REST API, and not change anything in the Jira Server UI you might want to look into using Oauth 1.0a as your authentication mechanism: https://developer.atlassian.com/server/jira/platform/oauth/ but that doesn’t give you the user impersonation you are looking for.

Otherwise, I would recommend that you create a P2 app and allowing your app to either work fully independent or to make sure the users understand that a connection to your web service is required for the app to function.

Getting data from Jira Server instances might be tricky because a lot of those are behind firewalls or even completely disconnected from the internet. Thus not allowing your app and the server to connect.

Hi Peter.

I’m a colleague of Dan’s (at CloudBees).

So maybe some more context would help clarify what we are trying to do. We’re not 100% sure what the most appropriate options are and are very interested in getting some recommendations.

We’re building a new SaaS that integrates JIRA, Git and Jenkins. It’s called DevOptics: https://www.cloudbees.com/products/cloudbees-devoptics

One part of the service is about providing insights into the progress that JIRA tickets are making through a Software delivery stream/pipeline. We currently integrate with JIRA via a Jenkins plugin that acts as a “proxy”, but we’re not very happy with that and were hoping we could change to a model where the user uses her/his own JIRA creds to get the JIRA ticket information i.e. the DevOptics client javascript code (loaded from the DevOptics backend) would be able to make JIRA rest API calls (CORS) “directly” to JIRA (server or cloud).

So we’re wondering are there any well (or not so well) defined techniques and tools that would make it possible for us to integrate with JIRA in this way, working for both JIRA cloud and server?

Atlassian Connect seems like it will solve our problem for JIRA Cloud (our assumption is that it will handle the user auth and then allow us to make REST API requests to JIRA). What would be the best approach for JIRA server?

Regards,

Tom.