I’m not sure if I follow your conclusions.
As far as I can tell, token generation requires manual action from a user even after “installation”.
This sounds like, How do I get a new access token, if my access token expires or is revoked?. The short answer is refresh tokens.
Overall, I think OAuth 2.0 (3LO) can cover all 3 of your needs (with details for others who might be in a similar situation):
- user identity: using a combination of the
meandaccessible-resourcesendpoints (because usually you need to know a user on a site). - ability to configure webhooks: using the existing registration endpoint, recently available under OAuth 2.
- ability to query the jira rest api for additional context: using refresh tokens.