I’m excited to share some news with you! Recently my team has been working on a new Forge feature: External Auth . There has been some discussion about OAuth2.0 integrations, so we wanted to let you know what you can expect us to deliver by the end of the year.
What is it?
External Auth is a new feature that will let you authenticate an OAuth2.0 provider with minimal configuration.
This feature will:
Connect your Forge apps to a 3rd party from multiple Atlassian products and share the auth between them seamlessly.
Store service and account credentials in a secure, encrypted way which was verified with strict compliance procedures and rigorous security reviews.
Fetch and refresh OAuth2.0 tokens automatically.
Easily use OAuth tokens in requests from your Forge functions.
External Auth will support some popular service providers such as Google, Dropbox, Miro, Slack, GitHub, and Azure DevOps out of the box, and also has the ability for you to define fully custom OAuth2.0 Providers for any service that adheres to the OAuth2.0 protocol!
Note: for external providers this feature will only support the “Authorisation Code Flow”, and won’t support the “Client Credential Flow”. For more about OAuth2.0 flows visit: Which OAuth 2.0 Flow Should I Use?
Example use cases
Creating Google Calendar entries from Confluence: External Auth will remove the need to manually handle the user’s OAuth tokens in your application code.
GitHub pull request status from Jira: External Auth will remove the need to manually handle the user’s OAuth tokens in your application code.
Can you comment on how this works together with the “login as User” admin feature?
Storing the credentials securely is a very nice addition and enables a lot of use-cases.
However, use-cases are immediately limited if the Jira Admin can use “Login as User” and has then access to these 3rd party information as well.
Imagine I want to build an app that shows my last used Office files and I can one-click upload them. It would be weird/concerning/security relevant if the Jira admin might get access to these files as well.
After all, he is only Jira Admin and not Office admin.
Hey @andreas.schmidt, I can confirm that when an admin uses “Login as User” and logs in as another user, the app accesses the admin’s account instead of the user’s.
Hi, @Nir that is pretty good news. We’re working on the design of a forge app and as the application is new we are considering implementing it full-on Forge for using most benefits of Forge Apps in comparison to Connected Apps or Connect-on-Forge. The problem is that we need to integrate OAuth2 (auth code flow) for a third party (Microsoft Azure), which currently seems not to be possible. You say External Auth is expected to be delivered by the end of the year, but I couldn’t find any documentation or information related to its release. Can you tell me a more accurate release date? In case this Forge functionality can be already used, do you have documentation?