We have standalone product which has tight JIRA integration. We are using webhook calls for issue create, update and delete events. So if any issue related event happens on JIRA, then we get notification about it and make necessary change on our side.
Right now issue is, this REST end point which we have used in webhook is not secure. Any one from outside can also call it.
How do we make sure that request is coming from JIRA not from any other source?
FYI - We have customers on Cloud and Server both. ANd whitelisting IPs is not an option for us.
For the Cloud customers - the “easiest” (for them) would be to have an Atlassian Connect app. When they install the app, you’d receive a installation hook with a secret. Then the web hooks that you declare in the app would have a jwt Authorization header on it which you can then decode with the secret. For more about this - see https://developer.atlassian.com/cloud/jira/platform/modules/webhook/ and Security for Jira Cloud apps
For Server, it gets more complicated… The best way would be to you to create your own p2 app which can handle whichever authentication you want. Failing that, my suggestion would be to embed an authentication token in the url to your system. While it’s a bit “security through obscurity” - it would at least allow you to make it harder for people to impersonate the the jira instance.
I know this is old, but in the Cloud is there any difference between the JWT used by Jira in the App and in the webhook? If not, how can we guarantee that someone doesn’t re-use the App JWT to do fake webhook calls?