OAuth2 Forge app providers

HachimKhaldi · January 4, 2024, 10:53am

I am currently working on implementing OAuth2 for authentication with Tempo.
Following the documentation’s example for Google OAuth2 in the ‘providers’ section of the manifest.ym :

providers:
  auth:
    - key: google
      name: Google
      scopes:
        - 'profile'
        - 'https://www.googleapis.com/auth/userinfo.email'
      type: oauth2
      clientId: EXAMPLE
      remotes:
        - google-apis
      actions:
        authorization:
          remote: google-account
          path: /o/oauth2/v2/auth
        exchange:
          remote: google-oauth
          path: /token
        revokeToken:
          remote: google-oauth
          path: /revoke
        retrieveProfile:
          remote: google-apis
          path: /userinfo/v2/me
          resolvers:
            id: id
            displayName: email
            avatarUrl: picture
remotes:
  - key: google-apis
    baseUrl: https://www.googleapis.com
  - key: google-account
    baseUrl: https://accounts.google.com
  - key: google-oauth
    baseUrl: https://oauth2.googleapis.com

I’ve encountered a problem - the base URL to obtain an authorization code from Tempo includes a variable, ‘jira-cloud-instance-name,’ in the form:
https://{jira-cloud-instance-name}.atlassian.net/plugins/servlet/ac/io.tempo.jira/oauth-authorize
How do i declare it in the manifest?
Thanks in advance.

MichaelCooper · January 15, 2024, 3:56am

Hi @HachimKhaldi ,

I don’t believe its currently possible to alter the domain name of a remote, or make it variable, as the admin would need to approve egress data when installing an app.

HachimKhaldi · January 15, 2024, 8:30am

Can you please provide any alternative ?

MichaelCooper · January 16, 2024, 4:36am

Sorry, let me just double check some assumptions I have made here.

When the Tempo docs say {jira-cloud-instance-name} they are talking about the *.atlassian.net site URL that each instance of Jira Cloud has (set when you create a new site at Try Atlassian Products for Free | Atlassian).

Are you asking what the value should be for a particular tempo instance,
or are you asking how you can automatically fill that value out in the manifest based on where your app is installing, so it is portable?

If you are building an app for a specific installation of Tempo, you could just grab the cloud URL for that instance and include it in the manifest, but it would not be portable to other installations.

HachimKhaldi · January 16, 2024, 9:36am

I want to automatically fill that value out in the manifest based on where the app is installed.

We faced this issue for multiple providers that requires a variable url to obtain an authorization code ( Tempo , ServiceNow… )

I hope we can fix it or at least have a workaround
Thank you

MichaelCooper · January 17, 2024, 1:47am

Unfortunately that is not something we support right now with external authentication.

I think it would be worth reporting this in the FRGE project - Dashboard - Ecosystem Jira

I found it interesting that Tempo have a stable URL for token exchange, but it was the browser URL that was variable, maybe they also have a stable URL for the authorization somehow?