Correct authentication method for downloading attachments

ferenc.nagy · August 24, 2020, 1:08pm

Hi Community,

We are developing a third-party app for Jira Cloud in which we are acessing attachments of issues.
In the past we used Basic Authentication to get those, but recently, we have encoutered a problem so we started to use JWT authentication. It seemed like it has been resolved, but we have a customer, who reported that the he had no problem before the change, but it’s broken now.

How is that possible that one method works for some users, but not for the others? Is it possible that the Jira Cloud version is not the same for them?
Generally, what is the proper authentication method for getting the attachments?

dmorrow · August 24, 2020, 9:24pm

Hi @ferenc.nagy,

We often use feature flags to roll out changes so it is possible for different customers to report different behaviour.

In the case of getting attachments, both authentication methods should work, but we recommend JWT over basic auth. Are the errors relating to permissions or something else?

Regards,
Dugald

ferenc.nagy · August 26, 2020, 6:59am

Thanks for the information! It seems to be a permission problem, but we need to gather some more input from the customer.

ferenc.nagy · September 1, 2020, 3:03am

It looks like the problem solved itself, as the attachment access started to work for the customer. Thanks for your help!

dmorrow · September 1, 2020, 3:59am

Thanks for circling back @ferenc.nagy.

aaron2 · December 17, 2020, 12:44am

@dmorrow is downloading attachments supported via oauth? I cannot find any documentation on this issue and there are numerous completely ignored community posts asking this question.

dmorrow · December 17, 2020, 5:14am

Hi @aaron2,

Attachment downloading is supported via OAuth 2.0. I tested this with the following Forge app snippet:

    // Path obtained manually by retrieving issue data: /rest/api/3/issue/{issueKey}
    const contentPath = `/secure/attachment/10005/refapp-attachment.json`;
    const response = await api
      .asUser()
      .requestJira(contentPath);
    const responseData = await response.json();

I’ve created ACJIRA-2284 to ensure the API becomes documented.

Regards,
Dugald

aaron2 · December 17, 2020, 6:43pm

@dmorrow thank you for the response, my mistake was I was passing in Bearer: <accessToken> instead of Bearer <accessToken>, which resulted in a redirect to JIRA’s login page. Thanks for following up and creating the ticket!

aaron2 · December 17, 2020, 6:45pm

Might add to that ticket that an error indicating the Authorization header is malformed rather a redirect to the login URL would make this a little easier to debug