Forge built-in OAuth 2.0 support

Hello,

I’m working on integrating Forge’s built-in OAuth 2 with our third-party web application. The goal is to authenticate and authorize Jira users seamlessly, allowing them to auto-login using their Jira credentials.

What We’re Trying to Achieve

  • We want to create an integration where Jira users can automatically log in to our external web application using their Jira user information.
  • After a user installs our app from the Atlassian Marketplace, there should be a UI button within Jira that they can click to trigger the authentication process.

What We’ve Tried

  • We created an OAuth2 (3LO) integration. When users are provided with the authorization URL, they select their Jira instance, accept the permissions, and are then registered and logged into our app. This part works well.
  • We then attempted to use Forge to create a project page with a custom UI button. The idea was that clicking this button would redirect users to our OAuth2 authorization URL. However, it seems Forge is blocking the redirect, preventing us from achieving the desired outcome.

What We’re Seeking

  • What are the best practices for implementing this kind of integration using Forge?
  • Are there alternative approaches or specific features in Forge that we might be overlooking?
  • How can we ensure a smooth user experience where they can authenticate with our application directly from within Jira?

Any guidance or suggestions would be greatly appreciated!

Thank you!

Hello @gustavo2

To me, it sounds like you’ve misunderstood what OAuth is and how it can be used. You seem to be describing trying to use OAuth as some form of centralised user authentication system, like a SSO platform or Kerberos etc, when that is not how it works.

I personally can’t think of any examples of using OAuth in the manner you’ve described here, especially not using a Forge app to somehow ‘redirect’ to a secondary OAuth principal associated with an external web app, or to otherwise act as some type of authentication ‘bridge / router’ between the two environments.

1 Like

Thank you for the clarification!

You’re right, I might be confusing OAuth’s use cases. I now understand that OAuth isn’t meant to serve as an SSO platform. However, I was under the impression that we could utilize Forge to facilitate this kind of flow. Essentially having a UI component in Jira that triggers an authorization request to our external service.

Given Forge’s constraints and the way OAuth typically operates, it seems like we may need to rethink our approach. Could you suggest an alternative way to achieve a more seamless integration? Perhaps there’s a better pattern for linking Jira user identity to an external service in a secure and user-friendly way?

@gustavo2,

I’ve worked with many SaaS companies to build integrations. With @sunnyape’s input, you see that you can’t achieve SSO with Forge. However, you can “link user identity to an external service in a secure and user-friendly way” with OAuth. Forge’s external OAuth flow is already doing this in the context of the Forge app itself.

What’s unclear to me is what your integration is trying to do. Let’s assume you have a mapping, what value does the integration bring between the products? How does it help users accomplish something with the data they have stored in each? The auth mechanisms might constrain what use cases are possible, but let’s start with use cases so I can recommend the best auth model (or, at least, the least intrusive).

1 Like

Our external web application offers tools that enhance Agile and Scrum processes by providing:

  1. Team Capacity Calculation Tool:
  • Our tool helps users calculate their team’s capacity for upcoming sprints based on story points delivered in prior sprints. The integration would allow us to fetch historical sprint data directly from the user’s Jira board, eliminating the need for users to manually input these values. This also ensures more accurate planning based on actual historical data.
  1. AI-Powered Story Generation:
  • We have an AI story generator that helps teams quickly create new user stories. With the integration, we would like to automatically add these generated stories to the user’s Jira backlog. This would streamline the process of moving from idea generation to task management in Jira, reducing manual steps and enhancing productivity.

Our goal is to make these processes seamless and intuitive for users by leveraging the data already available in Jira and automating steps that would otherwise be manual and repetitive.

Given this, what would be the best approach to achieving a smooth authentication and data integration flow under the constraints of Forge and OAuth?

I appreciate your help!

Just following up, I’ve added more details about our integration’s value above. Would love to hear your thoughts on the best approach for achieving this with Forge and OAuth. Any advice would be greatly appreciated!

Thanks!

@gustavo2,

Forge with external fetch (and OAuth) would require some kind of triggering of those actions from the Jira side. Assuming the features in bold above are capabilities on your 3rd-party web application where you need to write data back to Jira, then I think the mechanism you need is Forge Remote so that your web application can “call product APIs”.

Between the Forge app and your remote, there is still a matter of tenant & identity mapping. But I don’t know of any Forge features or patterns that will help solve that. It’s “an exercise left for the reader”.

1 Like