Apologies if this is posted elsewhere - I couldnt find it specifically.
I am a first-time Connect App developer and would like to know if there is a way to store a custom set of credentials in the connect app in our Jira Cloud instance.
Here are another set of questions that I am struggling to answer right now:
We would like the Connect App to create and update (or just update if it exists already) custom fields in Jira SD and Software - but the contents of the dropdown (and cascading dropdown) fields needs to be pull from our own internal REST API that is authenticated by the credentials stored. How can we confirm and ensure that the connect app descriptor file is not used by anyone else to install our App on there instance of Jira. I.e. we want to currently be the only once using our Connect App (for now at least) and not allow or have any visiblity to anyone externally
How can we authenticate and authorize ONLY our instance of Jira to communicate to our system and not any one else (for now)?
I believe the app descriptor does not need to be called atlassian-connect.json. Is that true? If so, are there any limits or standards on the name of the json file?
I am struggling to understand the following:
- Ensure our Custom Connect App is only ever installed by us and no one
else. And not findable by people and web crawlers (for now).
- Get Jira Service Desk and Software issue form custom fields to pull
data from our custom app API securely
- Where and how on our custom connect app / Jira instance can we we
store out App API credentials securely and encrypted
- Hide options in dropdown fields based on form types and cascade
dropdowns based on our API data
I have already read quite a lot of documentation and watched the Dev Day videos but wondering about the security side of things initially…
Welcome to the party…
You can intercept the install call and just reject tenants that you don’t want to install on based on the baseUrl. That said - you can also just list your app as a private app - then somebody would have to stumble on your descriptor to install it on an instance.
If you block the installation hook and then validate the jwt tokens against the “valid item” - that would do it.
As long as the descriptor is on the public internet - you’re good to go.
Thanks, Daniel. Exciting stuff! Appreciate the quick response.
- OK, I understand - so any install callback payload that comes through after our instance has it installed, we can ignore / block?
- So the list I have on https://marketplace.atlassian.com/manage/apps/ is listed as private - meaning no user or webcrawler can find it, right?
- How would I know a ‘valid item’ from one that is not? Guessing via the clientKey and sharedSecret?
- OK great - on the file name. Is it possible to block any and all requests to the app descriptor “baseUrl”+“url” urls other than usage from Atlassian, particularly our instance?
- Lastly, how can I all our custom external API securely from Jira? Eg. on the customer request portal form pull and populate data from our App’s API?
Thank you in advance
Yepp. Just return back a non 2xx (200-299) http error code and Jira won’t listen it.
That is list is not available. However your descriptor/resources is still available on the internet so if somebody know where to look - they’ll still find it (but robots.txt and such could block that).
Take a look at the payload that comes through - it will have a client id and base url that is unique. Once you get it once - you can lock it down for the rest.
In theory you can lock it down based on ip - I believe that there was a thread about that on here about that.
The installation payload will have a shared secret that you’d use to confirm the jwt token - see https://developer.atlassian.com/cloud/jira/platform/understanding-jwt/
Thanks for the above … We have been chatting about this and trying to move ahead with this .
Is there a way to setup a call/meeting with a Technical person from Atlassian / Jira to discuss this. There are some security concerns we would like to understand, iron out and make sure it is as secures as it should be.
Hey Yatish, let’s do it! I’m Sydney based, so DM me a few separate time slots that work for you next week + your email address. Looking forward to it
Thanks Simon, appreciate the quick response. I will do so.
Hi @SimonKubica _ i have sent you details via DM , no response yet? Please let me know so that I can arrange with my collegues too … Thank you
Hi @SimonKubica, We are still awaiting a response on the DM / an meeting invite at the proposed times. Thank you
Hey @YatishMadhav, invite sent - check your DMs!
To set expectations, 1:1 support for Connect app development isn’t something Atlassian officially offers. However, I’ve made an exception in this case - selfishly, deepening our understanding of developers like yourself (and the challenges you face) in building custom apps is paramount to ensuring the team can feed this sort of context right back in to building a better platform for teams like yours.
Thanks for holding out during this super busy time for the team, looking forward to chatting tomorrow
Hey @YatishMadhav @SimonKubica Could you share details here too?
I have the exact same issue, and I have been trying to find a solution.
I am creating a connect app that renders an iframe containing details from our instance on the Jira instance. To fetch the real time data, we have to make API calls to our server. We are using an API key based authentication. I would like to create the app in such a way that the app prompts for the key during install, but then stores the key to make subsequent API calls, without prompting for the key again.
I could do this using App and entity properties, but Jira recommends not to do so. Is there a way I can achieve this using some other method?