How to manage 3LO OAuth 2.0 apps in Atlassian Government Cloud without tying them to a personal account?

I’m building an integration that uses 3LO (three-legged OAuth) to let customers authorize access to their AGC Jira instance. I need to create a 3LO app in the developer console, but I don’t want to create it under my personal account - if I leave my company or lose access, the app would be stranded and all existing user connections would be invalidated.

In commercial Atlassian Cloud, we use a shared account for this. In AGC, I tried:

• Creating a service account - an email was generated, but I can’t log in (no inbox to receive the verification code)
• Generating OAuth2 credentials for the service account directly - the page rendered blank (and even if it worked, these credentials aren’t meant for the 3LO flow I need)

I’m aware that Atlassian support can manually transfer ownership of 3LO apps on request, but this isn’t ideal - it requires a support ticket each time someone leaves the company and doesn’t allow multiple people to manage the app proactively. In short, it’s too fragile an approach.

Questions:

1. Is there a way to log into or use a service account to create 3LO apps in AGC?
2. Can multiple users be added as administrators of a single app in the developer console, so the app isn’t isolated to one account and persists if that account is deleted?
3. Is creating a managed account with SSO bypassed possible so multiple people can login to the account using a shared set of credentials? Then, we could use the managed account to create the app in the developer console.
4. What’s the recommended approach for having multiple people manage 3LO apps without tying them to a single employee given the SSO requirement?

@dataservice,

OAUTH20-2502 is about having multiple owners for 3LO Apps in Atlassian Developer Console.

That said, some replies to your question…

if I leave my company or lose access, the app would be stranded and all existing user connections would be invalidated

Yes, the app would be stranded but, no, not all existing user connections would be invalidated.

Creating a service account - an email was generated, but I can’t log in (no inbox to receive the verification code)

I’m not sure I understand how this is a limitation of AGC. That sounds like you don’t have the ability to create an email mailing list as alias for the group of owners. Even if there weren’t a verification code flow for email verifications, you still need email notifications about the app to come to the owners. Can you request to get a email group setup?

Is there a way to log into or use a service account to create 3LO apps in AGC?

Yes. It requires a valid email with an inbox.

Can multiple users be added as administrators of a single app in the developer console, so the app isn’t isolated to one account and persists if that account is deleted?

No. See the suggestion at start of my response.

Is creating a managed account with SSO bypassed possible so multiple people can login to the account using a shared set of credentials?

Yes. This requires an org admin to perform.

What’s the recommended approach for having multiple people manage 3LO apps without tying them to a single employee given the SSO requirement?

If the org admin will not create a service account that is an alias to a group of emails, then there’s not a solution; hence, the suggestion. Isn’t that more a policy limitation than a technical constraint of AGC?

Hope those answers & the JAC ticket help.