Connect App vs OAuth2 App REST API Access

Jira Development Jira Cloud
, ,
1

I was happy to see that OAuth2.0 apps can now register webhooks. But it looks like I can not fully migrate from OAuth2.0 + Connect app for my usecase. Can someone let me know if I’m missing anything in the below usecase?

In an external application, I need

  1. user identity - a OAuth2.0 app is appropriate for this
  2. ability to configure webhooks - Connect app works well, but it would be ideal if this all happened with a single app. So I was planning to do this with the OAuth2.0 app now that this is possible
  3. ability to query the jira rest api for additional context when processing webhooks

It looks like point 3 is going to still be a problem with OAuth2.0 apps. As far as I can tell, token generation requires manual action from a user even after “installation”. And the token expires in an hour with no refresh mechanism. So there doesn’t seem to be a way to do background querying in response to a webhook. It seems like JWT authentication with the Connect app is the only option.

Hopefully I am overlooking something here. Any advice would be appreciated.
Thanks

2

@DaveMeyer,

I’m not sure if I follow your conclusions.

As far as I can tell, token generation requires manual action from a user even after “installation”.

This sounds like, How do I get a new access token, if my access token expires or is revoked?. The short answer is refresh tokens.

Overall, I think OAuth 2.0 (3LO) can cover all 3 of your needs (with details for others who might be in a similar situation):

  1. user identity: using a combination of the me and accessible-resources endpoints (because usually you need to know a user on a site).
  2. ability to configure webhooks: using the existing registration endpoint, recently available under OAuth 2.
  3. ability to query the jira rest api for additional context: using refresh tokens.
1 Like
3

@ibuchanan thanks for the reply. The refresh mechanism is what I hadn’t been able to find yet. Given that, I think all usecases should be covered using the OAuth2 app. Thank you for pointing that out. Much appreciated