I want my Confluence Cloud Atlassian Connect Express plugin to access Jira Cloud rest API. Preferably as smooth for the user as possible. For example read only in asApp mode, and R/W in asUser after oauth dance.
I am doing my best to dig into OAuth documentation but I am lost.
As far as I understand:
A/ Confluence Addon ACE talking to Confluence rest API
For ‘as app’ calls it’s easy thanks to JWT and httpClient available in app.js by default (which is npm’s request under the hood). I tested it and it works as expected.
For ‘as user’ calls you have to follow:
https://developer.atlassian.com/cloud/jira/platform/user-impersonation-for-connect-apps/
#1 Am I right here? Can ACE’s JWT be used only within the same product type?
B/ Confluence Addon ACE talking to JIRA rest API
As far as I understand such a request is (from the security perspective) similar to a request made by any external app. It doesn’t matter if this is an ACE addon with a valid JWT, right?
(if so) I should follow this article:
B1/ https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/
which suggests in the intro section:
Connect apps : Use JWT. You can also use OAuth 2.0 user impersonation.
This is half true. It should be “Confluence Connect apps talking to /wiki/rest and JIRA Connect apps talking to /rest” APIs.
#2 Am I right here? Should this documentation be more specific?
Following the page, I can see:
Before you can implement OAuth 2.0 (3LO) for your app, you need to enable it for your app in app management:
- In app management, navigate to your app (or create one if you don’t already have one).
Well, the app management link points to Forge apps manager. There are no ACE applications there.
#3 Do I have to create a stub Forge app for any other (including ACE) application to use OAuth2?
I assumed so, and successfully managed to perform all the steps in the documentation to finally hit this sentence:
Note that making your app public does not make it available on the Atlassian Marketplace. Listing a OAuth 2.0 (3LO) app on the Atlassian Marketplace is currently not supported.
I gave up here and moved to this site:
B2/ https://developer.atlassian.com/cloud/jira/platform/jira-rest-api-oauth-authentication/
Here, instead of being trapped by early access, non-market ready solutions I was hit by legacy, server-related code.
I compiled the java code (there is a missing target directory name in java -jar **target**/OAuthTutorialClient-1.0.jar requestToken) and generated public/private key pair. But I failed on:
Configure the client app as a consumer in Jira, using application links
(got error 500)
I tried to use node client from the Bitbucket. This code is three years old and package.json was missing so I had to to guess NPM dependencies and then rewrote the code from express2.0 to express4.0. Long story short this turned out to be less useful than java version.
More importantly, this solution seemed to be for those looking a single-instance OAuth mechanism.
#4 Am I right here? Is “OAuth for REST APIs” designed to a single-instance use cases?
So I took a look at Forge:
C/ Forge app talking to Jira/Confluence (but not Jira Software) APIs
Everything is simple with forge. There are no “Confluence” or “Jira” addons anymore. It’s just Forge addon for the entire platform. You can call:
api
.[asApp() | asUser()]
.[requestConfluence | requestJira]
I tested it and it works like charm. There are two issues with Forge: (1) there is no Forge marketplace yet (but it’s coming soon), and there is no InlineMacro that I need for my addon (and it’s not even in the roadmap).
To sum up:
#5 Is there a documentation for my scenario:
A Confluence ACE addon talking to Jira REST API in system/application read-only mode (if possibile) and in “asUser” (impersonalized) mode? (assuming I can’t use Forge).
