Calling associated Jira Cloud instance REST APIs from a Confluence Cloud add-in dynamic macro via AP.request()?

I am developing a Confluence Cloud add-in dynamic macro that needs to call an associated Jira Cloud instance’s REST APIs to get issue related data and from that generate some reports in Confluence.

To do this, we tried obtaining a link to the Jira Cloud instance using a Jira applink via an AP.request to the /rest/jiraanywhere/1.0/servers API to get linked Jira Cloud instances. This is the same request we’d been using on Confluence Server to get associated Jira applinks.

In call cases it fails with a 403 error (Unauthorized). That was interesting to us, that it threw a 403 instead of a 500. Figured that perhaps if we had JWT authentication enabled for the add-in, that perhaps Confluence Cloud would let us call this API via AP.request(). Apparently not.

If I manually call the associated Jira Cloud instance REST API directly using a normal XMLHttpRequest to a known Jira Cloud URL, using basic authentication with a username and user token, AND, and this is important, also disable CORS using a Chrome plugin, the requests to Jira do work. Of course, that’s not a shipable solution on many levels. What’s interesting is that I can also call the /rest/jiraanywhere/1.0/servers the same way, using a username and token and it will respond, just not through AP.request() on a JWT enabled add-in.

So, based on this observation is it possible to use something similar to the Jira applink feature we use in Confluence Server to make authorized REST APIs calls to a Jira Cloud instance, and also avoid any CORS issues. It seems to me that the CORS issue may be ultimately problematic.

The alternative is that we proxy this through our own servers, do authenticated server-to-server calls to get around both the user authentication and browser CORS issues. Really hoping not to have to go down that path if we can avoid it.

Thanks for any ideas,

Michael Eskin

3 Likes

@michaele, I’ll ask the Confluence Cloud ecosystem team to chime in; however, I will start by saying that even though you can get the /rest/jiraanywhere method to work, because it’s an undocumented/unsupported Confluence Cloud API, I wouldn’t rely on that.

I was only able to get it to work at all by going around AP.request() and disabling CORS on my browser, which, as I said isn’t viable for a production add-in.

We would very much like to understand what Atlassian would consider to be a well supported method by which a Confluence Cloud dynamic macro in an add-in could do this sort of cross-platform call to REST services on an associated Jira Cloud instance without requiring a server-side proxy.