Feature Teaser: Easy OAuth2.0 provider integration is coming to Forge!

Hey Forge community,

I’m excited to share some news with you! Recently my team has been working on a new Forge feature: External Auth . There has been some discussion about OAuth2.0 integrations, so we wanted to let you know what you can expect us to deliver by the end of the year.

What is it?

External Auth is a new feature that will let you authenticate an OAuth2.0 provider with minimal configuration.

This feature will:

  • Connect your Forge apps to a 3rd party from multiple Atlassian products and share the auth between them seamlessly.
  • Store service and account credentials in a secure, encrypted way which was verified with strict compliance procedures and rigorous security reviews.
  • Fetch and refresh OAuth2.0 tokens automatically.
  • Easily use OAuth tokens in requests from your Forge functions.

External Auth will support some popular service providers such as Google, Dropbox, Miro, Slack, GitHub, and Azure DevOps out of the box, and also has the ability for you to define fully custom OAuth2.0 Providers for any service that adheres to the OAuth2.0 protocol!

Note: for external providers this feature will only support the “Authorisation Code Flow”, and won’t support the “Client Credential Flow”. For more about OAuth2.0 flows visit: Which OAuth 2.0 Flow Should I Use?

Example use cases

  1. Creating Google Calendar entries from Confluence: External Auth will remove the need to manually handle the user’s OAuth tokens in your application code.
  2. GitHub pull request status from Jira: External Auth will remove the need to manually handle the user’s OAuth tokens in your application code.

Should we support more providers out of the box?

Let us know by completing this Google Form.

If there’s enough of an ask for providers we haven’t included yet, we’ll consider adding them to our “out of the box” supported list.

Have any questions, comments, or concerns? Let us know! Leave them below or reach out to me on:

Email: nnikolaevsky@atlassian.com

Calendly: Nir Nikolaevsky - Book a call

Cheers,

Nir

16 Likes

Hey @Nir

that is great news!! I am very much looking forward to that feature.

One thing though: That Google Forms link is not public, could please look into that :grimacing:

Cheers,
Tobi

1 Like

Hi @Nir ,

Can you comment on how this works together with the “login as User” admin feature?
Storing the credentials securely is a very nice addition and enables a lot of use-cases.

However, use-cases are immediately limited if the Jira Admin can use “Login as User” and has then access to these 3rd party information as well.
Imagine I want to build an app that shows my last used Office files and I can one-click upload them. It would be weird/concerning/security relevant if the Jira admin might get access to these files as well.
After all, he is only Jira Admin and not Office admin.

6 Likes

Thanks for that, there was a sneaky checkbox pre-ticked in the settings. Should work now :slightly_smiling_face:

1 Like

Good question @andreas.schmidt, the team is now looking into the expected behaviour for an admin using “login as User”, will keep you posted.

1 Like