[Data Residency] Migration endpoints token validation

dberrutti · January 25, 2024, 1:17pm

Hello community,
I’m trying to implement the migration endpoints in my connect app (using Atlassian Connect Spring Boot Java library 3.0.2), like this:

@PostMapping(value = "/schedule")
public ResponseEntity<Object> schedule(@RequestBody MigrationRequestDTO request)

I’m having trouble validating and extracting the client key from the Authorization JWT.

First, I tried to use the @ContextJwt annotation, but it returns 401 to the Atlassian request.

I checked the documentation in https://developer.atlassian.com/cloud/jira/platform/understanding-jwt-for-connect-apps/ but it got me really confused.

Could someone kindly provide a practical example on how to validate the token and extract the client key from these requests?

twhite · January 26, 2024, 1:46am

Regarding the context JWT, this may be helpful. Essentially a context JWT will be used for client-to-server communication. For server-to-server requests, a regular JWT is used. This will contain a qsh claim (query string hash), which prevents URL tampering. Lifecycle events, including migration hooks will use the standard JWT.

Endpoints should automatically authenticate incoming JWT requests. Then you can use the @AuthenticationPrincipal AtlassianHostUser to get access to request details like clientKey, productType etc.

@PostMapping(value = "/migration/schedule")
public String schedule(@AuthenticationPrincipal AtlassianHostUser hostUser) {
  String clientKey = hostUser.getHost().getClientKey();

Hope this helps

dberrutti · January 26, 2024, 12:24pm

Hi @twhite
It worked like a charm for the /schedule endpoint, thank you very much.
But for some misterious reason, the other endpoints (implemented the exact same way) throw a 401 - Unauthorized error.
What could it be?

dberrutti · January 26, 2024, 3:15pm

Hi @tswhite
I figured out the Unauthorized problem, it was just an incorrect qsh hash.
You rock! Thanks a lot!