Org-based auth to 3rd party API using Forge?

BrianGraham · January 26, 2023, 9:57am

I have a small Forge app which sends issue data to a third party API and receives content back. I have read through the Forge docs but I only see an option of using OAuth for user-specific auth. I would instead like a way to not authenticate for the entire Org instead, as the app is not user-specific and I don’t want every Jira user to create an account on my website.

Ideally there would be something secure from the Jira context that I could pass to my app, or even perform OAuth with my own app from the Forge backend.

Is the way to go just building my own additional OAuth in the app+my backend, and shipping keys with it? Is there a simpler or more secure way?

david · January 26, 2023, 10:29am

Are you saying that you’d like your Forge app to have an OAuth service account with the third party system so that you app has a single account (likely per Atlassian tenant) with the third party system, rather than every user has an account with the third party system?

Your app then uses this single (per tenant) service account to communicate with the third party.

I can see this as a very useful use case.

BrianGraham · January 26, 2023, 10:53am

Hi David, yes that’s exactly my case. I’d like my third-party to have one account per Atlassian tenant.

I see the forge runtime doesn’t expose secrets (as far as I can tell by sniffing around with chrome inspector, and what is implied by the architecture diagram), so it might be possible to hack it all on my own somehow but it feels like “the wrong way”, and I’m not 100% confident it is actually safe because it’s just a guess.

david · January 26, 2023, 11:14am

Looking at the latest version of @forge/api, it doesn’t look like this is possible.

const wrapFetchApiMethods = (api, wrapFetch) => {
    return {
        ...
        asUser: () => ({
            requestJira: (...),
            requestConfluence: (...),
            requestBitbucket: (...),
            requestGraph: (...),
            withProvider: (provider, remoteName, tokenId) => {
                ...
            }
        }),
        asApp: () => ({
            requestJira: (...),
            requestConfluence: (...),
            requestGraph: (...)),
            requestBitbucket: (...)
        })
    };
};

The api.asUser method allows you to specify an external service as described here, like so:

const google = api.asUser().withProvider('google', 'google-apis')

…but api.asApp (which I think would be the likely place for this) has nothing equivalent.

Time to roll your own, and please share with the class.

@rmassaioli – any thoughts on this?

BrianGraham · February 1, 2023, 8:53pm

For the short term in my development stage I’ll ship a token with my app and request the company ID from the API, but as I move into prod this should move into some form of handshake.

david · February 10, 2023, 9:03am

@BrianGraham Keep an eye on this ticket, vote it up, comment etc:

[FRGE-729] - Ecosystem Jira

This will likely provide something similar to:

const google = api.asApp().withProvider('google', 'google-apis')