How to autneticate and authorize a user via Atlassian Connect app

ShenbagaMurugan · May 17, 2021, 6:33am

I am trying to develop an Atlassian Connect app. Here is what I am trying to do.

The user logs in to JIRA and I am loading a panel in his JIRA issue page with other JIRA issues related to the current issue. I am making REST API (v3) calls to JIRA server to get the issue details. But I need to make sure that the user is shown ONLY the issues he is authorized to view. How can this be achieved?

The Tenant data captured during installation is not user level data and hence can’t differentiate between users. I need a way to get the user’s API token or session so that I can get JIRA tickets applicable for the user.

Preferably using JavaScript and at the worst case, Java Spring boot.

m.ahrens · May 17, 2021, 7:45am

Hey,

I dont know which REST API calls you are making, but usually it is default behaviour for those API’s that they only return data that the user is permitted to view.

So if a user does not have the permission to view a project, he will not be able to request any data via the REST API e. g. “/rest/api/3/issue/” for this project. The request will fail with 404.

Hope that this helps!

Best regards,

Marc

ShenbagaMurugan · May 17, 2021, 9:58am

So, my app will be loaded inside an iframe and I can’t make request to JIRA APIs from the iframe as CORS is not supported. Now, how can I make the calls to JIRA API for the particular user using my app?

m.ahrens · May 17, 2021, 10:18am

You will want to use the Atlassian Connect Javascript API to request JIRA’s REST API’s.
Please view the following: Request

As described in the AC documentation, requests via AP.request will be exectued by the currently logged in user.

ShenbagaMurugan · May 17, 2021, 11:03am

Thanks a lot. I will give it a try and update you

ShenbagaMurugan · May 19, 2021, 1:08pm

we implemented the request with AP.Request and now getting a 403 error when invoked via code. But the same request if opened in a new tab is working. May I know why it is happening?

Note: We inspected the JWT and both are using the same JWT

ShenbagaMurugan · May 19, 2021, 2:45pm

I am able to resolve it by setting scope to READ and WRITE in atlassian-connect.json. We actually tried a GET request and hence we just went ahead with READ alone. But it caused 403 error. Hope this helps someone.

m.ahrens · May 20, 2021, 5:50am

Hi ShenbagaMurugan, im happy to hear that you got it working.

When working with JIRA’s REST API it is important to note which scopes are required by the different REST calls.
I fell for that a couple times aswell.

Best regards,

Marc