Generate access token in forge app

I’m migrating an Connect app to Forge. In our Connect app we will fetch data (jira issues/confluence content) and send it to an external server for processing along with an jira/confluence access token generated in the Connect app, so the external server can read protected resources like images and such.

In Forge app I was able to implement the communication to that external server but I can’t find any option to generate access tokens.

One option I came across is to use OAuth2 and to convert that external server to an OAuth app and generate token from within. But I think this makes things complicated. Because now the user has to

  • Install Forge App
  • Allow Access to Forge App
  • Install OAuth App
  • Allow Access to OAuth App

And from what I can see in OAuth App’s docs, it says that “OAuth 2.0 (3LO) apps are installed on a per-user basis” so that means if I have 10 users in my site does all 10 users have to install the OAuth app?

Is there any other options?

2 Likes

Hi @Dineshkumar

We’re at the moment starting work on changing the authentication for Connect apps so that the Forge part and Connect part of an app can access the same resources. With the authentication changes you should be able to store your data using the storage API (https://developer.atlassian.com/platform/forge/runtime-reference/storage-api/) and then the external server could fetch it from there with an authenticated request. Would this work for your use case?

We cannot give any firm dates on when the authentication changes will ship, but I expect it to be around first half of 2022. We also might be able to give you early access if you’re interested in testing the feature before it’s generally available.

2 Likes

Hi @ekaukonen

That won’t work for us. Because the external server loads the given HTML content (exported from Confluence via REST API) into an headless chromium and instructs the browser to add the JWT token we gave to the auth header. We do it this way so it can load all the private resources.

If we want to use the storage API for this that means we would have to find a reliable way to detect private resources in the HTML, fetch & store them in Storage API, then replace their URLs with one that points to Storage API. Which seems like not a good solution.

What I want to know now is… Is there any option in forge (currently or have future plans) to generate something like an access token that allows external servers to load protected content. And could you please clarify about this “OAuth 2.0 (3LO) apps are installed on a per-user basis”?

What I want to know now is… Is there any option in forge (currently or have future plans) to generate something like an access token that allows external servers to load protected content

There is some plans and discussion around this, but at the moment we’re not yet ready to share any concrete deadlines or plans. It would be possible to save a shared secret and use that to sign a JWT token in your Forge function.

And could you please clarify about this “OAuth 2.0 (3LO) apps are installed on a per-user basis”?

This means that every customer using your app will need to give consent to the app to act on their behalf. The access token/refresh token is also going to be specific to a user.

However in your use case it might be sufficient if the admin who installs the app grants the permissions, and all the calls from the external server to fetch extra resources use the credentials of the user who installed the app. This of course wouldn’t work if the installer does not have permissions to access everything.

2 Likes