OAuth 2.0 with Proof Key for Code Exchange (PKCE)

Hi,

I’m developing a desktop application (in C# / .NET) that needs to use the Jira Cloud REST API on a user’s behalf.

I was reading this article about OAuth 2.0 (3LO) which seems to be what I need.

However, in this article, we’re using a Client Secret to exchange the authorization code for an access token.

Since my application is a desktop application, it should be considered as a public (non-confidential) client. During installation, all application’s binaries and files are copied into local file system. Since they can be easily decompiled and inspected by anyone having an access to file system, application should not contain any secrets.

From what I read, it seems to be highly recommended to use Authorization Code grant flow with PKCE extension to authorize user with desktop application to avoid storing any secrets on user’s device.

Is there a way to use the PKCE extension with the Jira Cloud Rest API? Do you have an example on how to do it?

I found this article for Jira Data Center and Server. Does it apply also to Jira Cloud?

Thank you

1 Like

Welcome to the Atlassian developer community @fchartrand,

No. Currently, Atlassian only supports the authorization code flow. And, I agree with your assessment that PKCE is suitable for desktop apps so that your app doesn’t have secrets.

A possible work-around (less than ideal user experience), is that each of your customers generates their own client id & secret, stores it in their local environment, and then your app can mediate the authorization code flow using those unique credentials.

To answer your other question, no, Jira Cloud is effectively a different product from Jira Server & Data Center. The solution you linked will not work for Jira Cloud. While public suggestion OAUTH20-2491 logged for PKCE, it explicitly mentions an on-prem Jira version and Atlassian will treat bugs separately for Cloud vs Server/DC. As such, I recommend logging a new feature request so you, and others who might stumble upon this thread, would have something formal to track. Could you please open a “suggestion” (our term for feature request) issue yourself in our open Jira (JAC) in the ECO project. Once you have the issue key, please let us know here so other folks can watch, vote, and comment.

Thank you for your answer @ibuchanan !

I opened the ECO-283 issue as you suggested to watch, vote, comment and track this request.

Hey @ibuchanan !

I know this is a bit old, but this is biting me as well.
I’ve added a comment to the Jira ticket, but also wanted to state here that it’s already possible for Jira Cloud OAuth consumers to use PKCE if they have a flag flipped.

Unfortunately, it’s not exposed on the dev console. :frowning:

Any chance we can get an option in the dev console to turn on PKCE when creating a new consumer? I feel like this could turn into a VULN if <insert bad actor stuff here>

Thanks!

Hey @J-D,

Feels weird to welcome you to the Atlassian developer community, because you’ve been behind it for so long.

It sure is frustrating how close we are to finishing PKCE. I certainly hope OAuth 2.1 doesn’t overrun us! I submitted some internal requests to escalate. Otherwise, I’m not close enough to the work to know when it might be available in DAC.

Thanks! and thanks for the warm welcome to the community! :grin: