We are working on an integration that would rely on authenticating with Jira API tokens. The idea is that first time when it is necessary, we want to ask the user to enter his API token to our web form.
The question is: is this OK to store and re-use the API token for further interactions? (Asking for that again and again would lead to annoying user experience.)
The security requirements for cloud apps page have a vague sentence related to this:
- The application must not collect Atlassian user credentials.
What does “collect” mean here? If you can’t save the token to an automation script, e.g., then what’s the point of the tokens at all? Or does it mean that you cannot ask and store API tokens for a large number of users?
Of course, storing those is a security concern, but we could imagine something along these lines:
Storing these as encrypted user properties. We can use JWT to access the “get user property” and “set user property” end-points, obtain the API token from there and use that. In other words, we would “outsource” the problem to Jira Cloud.
Storing these as passwords in the browser’s own password manager. I am not 100% sure if it is doable, but it is, it will be just as secure as your Jira password. In other words, we would “outsource” the problem to the browser (Google, Microsoft, etc.).
Anyone did anything like this before?