Jira cloud token based auth CORs isues

FilipMalek · April 16, 2020, 3:03pm

Hello there (General Kenobi)!
I’ve seen a few posts about the topic but nothing with definite answer. I think it is due to large spectrum of applications of Jira api’s.
My company is using Jira cloud and I gave myself a task to create a dashboard that will collect data from various sources that the IT department uses such as Jira, Github, Slack, etc…

Naturally I opted for a token based auth because of multiple different api calls the dashboard will have to make. I got my api token and when I try making requests to https://myCompanyName.atlassian.net/rest/agile/latest/board through Postman (or terminal using curl) I get a nice response. However, when I try making the same request from my React app my request fails before it can ever reach the server. If I start the Chrome browser with --disable-web-security flag everything works just fine but that is far from optimal. I am using axios npm package for making these requests.

Can anyone give me any tips on how to get this to work and what would be the easiest solution.

Do I have to whitelist my localhost url to make it work?
Do I have to make a node server using the atlassian-connect-express to make it work?
Do I have to opt for OAuth authentication in the end because none of the above will work?

I am sorry if this has been answered in prior topics but I haven’t been successful in finding a good answer yet. Any tips are welcome!

With this being said thanks for your time, stay safe and cheers!

Dario_B · April 23, 2020, 10:37am

Hi @FilipMalek,

As mentioned in: CORs error with REST api - #4 by sreuter

We actually do support CORS requests when using https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/ , as your requests will go through api.atlassian.com were token based authentication is the only thing we allow.

For further explanation: The problem why we don’t support CORS directly on your site host/domain is that we accept session based authentication on there, which would then allow any site to make random, authenticated requests to your site.

The alternative is to proxy your requests through your own backend

This is also mentioned in the FAQ section of the OAuth 2.0 (3LO) for apps documentation page:

Is CORS whitelisting supported?
CORS whitelisting is supported for api.atlassian.com . CORS whitelisting allows OAuth 2.0 authorization code grants to work for browser-based XHR or fetch requests subject to cross-origin restrictions, such as Chrome or Electron apps.

Also, from the same documentation:

Requests that use OAuth 2.0 (3LO) are made via api.atlassian.com (not https://your-domain.atlassian.net ). Construct your request URL using the following structure:

Jira apps: https://api.atlassian.com/ex/jira/{cloudid}/{api}

Confluence apps: https://api.atlassian.com/ex/confluence/{cloudid}/{api}

Please review above documentation and thread for details.

Also, as a possible workaround, you may want to have a look at: CORS Anywhere

I hope this helps.

Cheers,
Dario

BakulBanthia · January 8, 2022, 6:07am

Hi,
I don’t have a JIRA app but a SaaS service from where I’d like to make JIRA API calls.
It’s transparent to the user and hence, I can’t redirect the user to a URL to get the code.
I have to use OAUTH2 otherwise I get a CORS error.
How can I make my service work with JIRA API?

Dario_B · January 11, 2022, 3:01pm

Hi @BakulBanthia ,

As already mentioned in my reply:

The alternative is to proxy your requests through your own backend
[…]
… as a possible workaround, you may want to have a look at: CORS Anywhere

For further details and/or for other CORS proxies please review below links: