Jira Cloud App is not able to authenticate by using accountId AccessKey

Masud · January 18, 2019, 8:18pm

Our App isn’t authenticating with accountId accessKey as follows:

New API AccessKey Structure to use an issuer of JWT:
<TenantId> <AccountId> <ServiceName>

Earlier we had as follows and it was working fine to use an issuer of JWT:
<TenantId> <UserKey> <ServiceName>

Now for GDPR compliance we had to support both of them for our customer until the end of the deprecation period.

Note: When we add the following:
“apiMigrations”:

{ “gdpr”: true }

in atlassian-connect descriptor. Only accountId AccessKey is working, but userKey AccessKey isn’t working.

Error Message from Jira:
“Your presented credentials do not provide access to this resource.”

epehrson · January 21, 2019, 9:47am

@Masud, is API AccessKey is a concept internal to your app?

If you are trying to authenticate to Jira, specifying an account ID, I guess that means you are using User impersonation for Connect apps?

Masud · January 21, 2019, 4:46pm

@Masud, is API AccessKey is a concept internal to your app?

Yes.

If you are trying to authenticate to Jira, specifying an account ID, I guess that means you are using User impersonation for Connect apps ?

We are not using oauth-2-jwt-authentication.
We are using following JWT structure:
https://developer.atlassian.com/cloud/jira/platform/understanding-jwt/

epehrson · January 21, 2019, 5:30pm

@Masud, I don’t understand. A Connect JWT issued by your app can only be used to authenticate as your app in service-to-service requests. An attempt by your app to provide a user identifier in the sub or context claim will simply be ignored.

What is the behavior you expect? Can you provide an actual example (with any user references or credentials redacted)?

Masud · January 21, 2019, 5:51pm

Earlier we used following structure to create accessKey which we used as issuer of JWT:

AccessKey
Base64( <tenantId> <userKey> <serviceName> )
e.g(encoded): MTMwNTczY2UtMjI3NC0zZThlLWI5NTUtMTlkMDEwMjU5ZGNmIG1hc3VkLmphdmEgSW50ZXJuYWxTZXJ2aWNl

Now for GDPR we are trying to use:

AccessKey
Base64( <tenantId> <accountId> <serviceName> )
e.g(encoded): MTMwNTczY2UtMjI3NC0zZThlLWI5NTUtMTlkMDEwMjU5ZGNmIDU1NzA1ODplM2Y3Y2FlOS1hNGE1LTQ3NmMtODVjOS0yYjQ1NDk5ZGRjNDUgSW50ZXJuYWxTZXJ2aWNl

And it’s failing to authenticate.

But we expect to work both the cases.

epehrson · January 21, 2019, 6:56pm

@Masud, you use it as the issuer of a JWT? Neither of those examples can possibly have worked. Per the documentation:

iss: […] If the app is the calling application: the app key specified in the app descriptor