OAuth2: Auth_hash returns incorrect site

Going through OAuth flow multiple times (with the same user) leads to weird behavior.
When a user goes through OAuth flow, they select a site for which they grant access, after which my app receives a callback with extra -> raw_info -> site containing information about the selected site.

However, if a user goes through OAuth one more time and picks a different site, auth_hash received on a callback contains a site that is different from what was selected during OAuth flow (usually it is the one that was selected previously).

Is the site picked by the user during OAuth flow cached somewhere? Or is there another reason why I might be getting an incorrect site in auth_hash?


@AlexanderChaplinsky I am curious, how you found out about the auth_hash you are describing and how you access it?

Is there any documentation on this? Jira OAuth callbacks for our app do not contain anything other than the authorization code and state query parameter.

I remember that this issue was discussed somewhere when the OAuth2 3LO flow was initially introduced (unfortunately I cannot find it anymore) and this was labeled as a potential future improvement.

I cannot find any documentation on this so I wondering if what you are seeing is/was an attempt to fix this.


Hey @tbinna, thanks for getting back.
I’m a coworker of @AlexanderChaplinsky.

It was not an attempt to fix the issue as we have no means to do so. It was an attempt to understand the capabilities and limitations of the Atlassian OAuth2 3LO flow for end users of our application granting access to multiple Atlassian sites. In our application users are expected to create a separate credential for each site (tenant).

auth_hash comes from the unofficial omniauth-atlassian-oauth2 ruby gem that implements OAuth2 3LO strategy.

It reads the list of sites user has access to by using https://api.atlassian.com/oauth/token/accessible-resources endpoint. Since there is no way to tell which site user has granted access to during the current OAuth2 3LO flow, the implementation picks up the first one. Hence our incorrect assumption it got cached somewhere.

Having understood that, there are two things we would love to get clarified.

  • Are there any plans to provide the site that user has selected during OAuth2 3LO flow back to the OAuth2 application during the callback phase?
  • Is there a way for OAuth2 applications to request user to grant access to a specific site?
    • Perhaps by using a different domain?

Looking forward to hear from you.

1 Like

Hey @ArturHebda,

Thanks for the clarification. That makes sense now. We have implemented the OAuth flow in our own app such that we will show the user a site selection the first time they are using the app (if they have access to multiple sites) and then remember the site that they chose. Not the best user experience as they have already selected the site on Atlassian’s authorization page but to my knowledge, there is still no other way at this time.

Please note though that I am a Marketplace partner and I do not work for Atlassian, so I cannot speak to your questions. Maybe someone from Atlassian can answer them.

cc @sreuter

1 Like