Expired JWT token breaks the whole app

IvanHanak · September 9, 2021, 5:45am

Hello there,

for the app development I use Connect apps with atlassian-connect.json descriptor.
We also use jwt authentication and our apps provide a project’s sidebar link for the app.

Internally, jira loads the app within the project scope for example like so:

https://app-server-url.com/project-page?projectId=10007&xdm_e=jira-instance.atlassian.net&cp=xdm_deprecated_addon_key_do_not_use&lic&jwt=jwt token

And here’s the problem.

The JWT token appended to the URL does not change automatically. However, if our user is having the app (from the project sidebar) opened for example for 3 hours, during that time the JWT token expires.

In my experience, Jira seems to automatically reload the iframe inside which the app resides.
It reloads it with the same URL and the already expired token. This means that the JWT token provided by the URL is no longer valid. We on our servers validate the JWT token from URL, which results in the app not being displayed.

Our users has to refresh the browser window, so as the new JWT token is generated in the iframe’s URL.

I need to note that such behaviour I haven’t seen on many Jira instances, maybe just a few of them - that Jira would be automatically refreshing iframes.

Did anybody encounter similar issue and would would be a probable solution?

m.herrmann · September 9, 2021, 7:02am

I have seen this behaviour sometimes within out plugin, but didn’t managed to fix it yet. I did look for possible solutions in the past and found the following, but have yet to try it out:
https://developer.atlassian.com/cloud/jira/platform/cacheable-app-iframes-for-connect-apps/
Not all of the connect modules are supported

remie · September 9, 2021, 7:07am

Our solution is to serve static index.html with a React application that calls our API with a newly generated token from AP.context.getToken(). We are not doing any server-side validation of the JWT that is appended to the original iframe request.

jurajjakub · December 30, 2021, 8:41am

We have a very similar problem in our application.

There’s a bug open with the Atlassian regarding this issue. Currently, we can’t see a feasible way to solve this faulty behaviour on our side. We can’t use cacheable iframes, because Project Page module that we use for displaying a sidebar link doesn’t support cacheable property.

shiv · October 4, 2023, 6:47am

'We are not doing any server-side validation of the JWT that is appended to the original iframe request." How are you doing this? Are you using connect framework?

remie · October 4, 2023, 7:45am

We are building on top of Connect, but we are not using ACE or Atlassian Spring Boot. We are hosting the app on Firebase, which uses a CDN for static files and we use GCP Cloud Functions for the back-end. Which is why our static files (HTML, CSS, JS, SVG, PNG, etc) are not validating JWT.