I have a single Atlassian Connect app running, which can be “installed” in to multiple JIRA Cloud instances.
My Atlassian Connect app also exposes a web api that allows a user to query a JIRA Cloud instance for issue details.
On the web api the client will specify 1) what issue to fetch, 2) the URL of the JIRA Cloud to contact and 3) the JIRA Cloud username to act as (because I’m using the ACT_AS_USER scope).
My Atlassian Connect app is trusted by all the JIRA Cloud instances it is installed on, so my app is allowed to acquire an OAuth2 token for the desired JIRA Cloud and start making requests on behalf of the desired username.
So, here’s the real question…if client A were to discover the URL and a valid username of client B’s JIRA Cloud, what is there to stop client A from using my app’s web api to fetch the details of issues from client B’s JIRA Cloud?
Am I missing something here? Is there something else built in to the Atlassian Connect app framework that helps guard against this? How does client A prove they really are a user of client A’s JIRA Cloud and that they are not misusing the trust established by the Connect app to query on of the other JIRA Clouds?
Thanks in advance.