JIRA Server Integration - Which Auth mechanism to use?

Jira Development Jira Server
#1

Hello,

We are building an application that integrates with JIRA Server using the REST APIs.
The problem is that we want to use OAuth for authenticating the requests but JIRA has a 3-legged version of OAuth1.0a where there is user interaction.

Since our app doesn’t have any UI and is basically just a batch job that imports/exports data, we can’t use this.
Does JIRA support the 2-legged version of OAuth 1.0a or should we just use basic auth instead?

Thanks in advance for your help.

Regards,
Vijay

#2

The OAuth documentation for AppLinks says this:

“Impersonating authentication makes requests on behalf of the user who is currently logged in.
Note that Atlassian OAuth with impersonation can only be used for application links between Atlassian applications.”

I’d say you’ll have to use HTTP basis auth.

#3

Thanks for your response @david.pinn. I found that there’s an option in the OAuth configuration page called ‘Allow 2-Legged OAuth’. I have now enabled it but I’m yet to verify that it indeed works. I will update once I try it out.

#4

Hello @david.pinn,

Here’s what I did.

  1. Enabled ‘Allow 2-Legged OAuth’.
  2. Entered a valid user id in ‘Execute As’.
  3. Got the request token using my external client.
  4. Tried to get the access token using the request token but got the error oauth_problem=permissions_unknown.

I’m guessing this is because I haven’t authorised the access token, but my understanding is that for the 2-legged version this isn’t required. Am I missing something? Please help.

Thanks,
Vijay

#5

I’d be happy to learn otherwise, but for now I still maintain that 2-Legged OAuth in JIRA is only available in the context of links (AppLinks) between Atlassian applications.

See, for example: Details of 2-legged OAuth (2LO) with impersonation.

#6

Yeah I saw that but what I understand is that OAuth with impersonation is only for Atlassian applications but it’s not clearly mentioned anywhere that even without the impersonation, it wouldn’t work.

The way the current implementation works, I’d say there’s no difference between 3-Legged and 2-Legged so I’m stuck with Basic Auth which is sad really.

Regards,
Vijay