Jira authentication query


#1

Hi Folks,

Apologies if this is the wrong channel. I’m new to both this community and Jira, but I need to add support for Jira to an existing app. It will both make unsolicited requests to Jira (creating issues, changes to issues etc) and receive webhook calls from Jira (creating issues, changes to issues etc). Both actions can be initiated from either side.

Do I read correctly that such an app needs to have both Oauth for the unsolicited requests and JWT for the webhooks?

Thanks in advance,
Ken R.


#2

Hi Ken.

It sounds like you need to create a Connect Add-on; which includes Webhooks functionality. This primarily uses JWT for Auth to call Jira APIs and Webhooks.

Connect Add-ons must be installed by the admin of the Jira Site and act as a service user; i.e. they have their own user.

Connect Add-ons ONLY use OAuth to do User Impersonation; i.e. when you want to call an API (e.g. to create/change an issue) on behalf of a user. To be precise there is an OAuth 2.0 Grant flow to exchange JWT for a OAuth bearer token (RFC7523).

Hope this makes sense…it is confusing.

Bruce


#3

Thanks for that Bruce.

Sorry to be a pain but does any POST payload have to be included in the JWT or is that only the URL and method?

Thanks in advance,

Ken R.


#4

The payload is not included in the JWT. More info -> Understanding JWT for apps


#5

@ken.ross, to your original question, for your “unsolicited requests” to Jira, you can choose between two authentication mechanisms:

  • JWT - very similar to the way the Atlassian product authenticates requests, such as webhooks, to your app. You can use this to make requests as your app.
  • OAuth 2.0 JWT Bearer token - you can use this to make requests as your app or as a user.