Jira Auth Api Issue

Hi all,
We have a client’s app integrated with our atlassian app named “Jira” which uses Jira scopes. Now whenever we are running the auth URL:

    client_id={our client id}&
    client_secret={our client secret}&
    code={code generated}&
    redirect_uri={redirect uri}

we are getting the page where we accept the app’s permissions (consent page). SS below:

Now from the dropdown there a user can select which domain they want to login/connect. I have two domains there let’s say one is A and other is B. Now when I login by selecting A, I get A’s data. After a few days I login with B and I get B’s data. The situation arises now when I again try to login to A. I select A from the dropdown and click on “Accept”. I still get B’s data! I checked the console and it seems the token API https://auth.atlassian.com/oauth/token is returning me B’s data only which is getting stored in my db and I am seeing B’s data via the API calls.

This is privacy bug/issue and is creating an issue for us as well as our clients. Any solutions to this please?
Thanks in advance.


The short answer, yes, you can fix this bug.

The longer answer is that doing so will require your client to be more careful in mapping your tenant context to Atlassian’s. I am struggling to know exactly what advice to provide since the URL you provided is wrong. The authorization flow starts with a browser URL to https://auth.atlassian.com/authorize which takes parameters. After your client gets a code on the redirect URI, it sends that code to https://auth.atlassian.com/oauth/token in JSON (not parameters) in order to receive an access token. Through that flow, your client needs to the state parameter both for security against replay attacks and for user mapping. In other words, a user on your product should be mapped through the state parameter to the access token you get back from the authorization code flow.

Then, there is a 2nd aspect of mapping your client must accomplish: the target site (you used the term “domain”). At the end, when your client has a token, it can have multiple sites associated, each with a different cloudId. At this time, there is no means for the OAuth flow to disambiguate: “Does the user mean site A or site B?” Therefore, the recommended flow is for your client to check the accessible-resources and then prompt your user for their intent.

To provide better advice, can you explain more about:

  • How your client maps users using the state parameter? If the user has access to both site A & site B, how is it a privacy concern that your app has access to both?
  • How your client maps sites via cloudIds in accessible-resources? Does the client assume the first or last result in the array is always the one the user wants?