How to authenticate a user when a single Atlassian Connect app is installed on many JIRA Clouds

Hi all,

I have a single Atlassian Connect app running, which can be “installed” in to multiple JIRA Cloud instances.

My Atlassian Connect app also exposes a web api that allows a user to query a JIRA Cloud instance for issue details.

On the web api the client will specify 1) what issue to fetch, 2) the URL of the JIRA Cloud to contact and 3) the JIRA Cloud username to act as (because I’m using the ACT_AS_USER scope).

My Atlassian Connect app is trusted by all the JIRA Cloud instances it is installed on, so my app is allowed to acquire an OAuth2 token for the desired JIRA Cloud and start making requests on behalf of the desired username.

So, here’s the real question…if client A were to discover the URL and a valid username of client B’s JIRA Cloud, what is there to stop client A from using my app’s web api to fetch the details of issues from client B’s JIRA Cloud?

Am I missing something here? Is there something else built in to the Atlassian Connect app framework that helps guard against this? How does client A prove they really are a user of client A’s JIRA Cloud and that they are not misusing the trust established by the Connect app to query on of the other JIRA Clouds?

Thanks in advance.

1 Like

What you’re talking about here is securing a multi-tenant environment. Are calls to your exposed API being made by the Atlassian product? If so, then your app needs to validate the request using the shared secret. See this page on authentication, scroll down to the section (at the bottom) titled “Exposing a service.”

Look out for a private message coming from me.

Thanks for the reply, Neil.

Have pm’ed you back.

Paul

When a user signs in to Jira, and your Connect App loads in the IFRAME, your app should create a session recording the user ID and instance ID. All subsequent requests coming from that user’s browser should have that session ID which your app’s backend would use to check against any hijacked/re-written requests that don’t match up – including both username and instance name.

Hi Neil,

Thanks for getting back to me. Actually, we have now decided to go a different route now. Instead of using a Connect App, we are going to make use of API tokens. This approach will force a user to first log in to Atlassian and acquire an API token. These credentials will then authenticate and authorise that user with any JIRA Cloud that they belong to, and stop them using ones they don’t belong to.

Thank you for your support.

Paul.

Hi there
I know this is quite a late reply - I dont seem to find the " See this page on authentication , scroll down to the section (at the bottom) titled “Exposing a service.”" section

Has that moved else where or is there a different method to do that now?

I am trying to to do the same.

Thank you
Yatish