Is there a better way of doing this entire authentication flow?
Hi CalebC, that’s exactly what the new feature 3LO aims to provide.
Below, I’ll describe 2 authentication flows you can follow.
I was also looking at OAuth (which I think is still in developer preview), but as far as I can tell this requires a server.
You are right.
Your app can authenticate without you having to provide a server. After authenticating, your app gets an authentication code.
But after authenticating, to call APIs of Jira (Confluence support will be available later), your app needs to exchange the authentication code for an access token.
To exchange, the authentication code and your app’s client secret need to be sent to Atlassian server. You don’t want to store the client secret inside your app, which hackers may analyze to extract the secret. That’s the reason you need a server, where you can store the client secret and do the exchange.
There are 2 authentication flows with 3LO you can follow:
Your app may open the 3LO login page inside its own in-app browser
Steps to login:
- The user taps a button to login.
- The app opens an in-app browser (WebView), showing the user the official login page.
- The app monitors the URL at the in-app browser, to know when the user has been redirected to intended redirection URL containing the authentication code, e.g. Example Domain (this may be a non-existing address).
- At that time, the app extracts out the authentication code, and closes the in-app browser.
For users, this way seems not secure, because an evil app developer (hope you are not one!) may freely inject custom JavaScript snippets into pages inside the in-app browser that he has full control, to steal username/password etc.
Your app may open the 3LO login page using system browser
Steps to login:
- The user taps a button to login.
- The app opens the system browser, showing the user the official login page.
- After login, the system browser will redirect the user back to the app. For this to work, the app needs to registers a custom URL scheme (see doc of iOS and Android for details), and the redirect URL will look like myapp://redirect?code=xxx.
To prevent your custom URL scheme to be hijacked, please also use PKCE: