Plugin that adds its own portal in Jira

Hi, I am trying to develop plugin, which extend Jira with portal that allows users to authenticate without Jira application access. Is it possible to use Jira logging form/servlet and redirect user to my portal after authentication as it works for customers in Jira Service Desk? Should I try to add new application and access? Is it possible using Jira plugin modules and SDK or maybe I should implement my own authorization service?
Is there any way to resolve this issue?

So… obviously, given that your Jira instance license is tied to application users, there will not be an easy way to implement separate authentication as this would circumvent the licensing model.

Now having said that, theoretically it should be possible to fix this by creating your own public-facing (as-in non-authenticated) Servlet module in which you do authentication yourself. You can then interact with Jira from a Rest API module which in interacts with the Jira programmatic API (or even Rest API if you wish).

However, it will create an extra burden for you to make sure that you do not expose your Jira data. Additionally, you will need to either store username/password information in the Jira database (not recommended) or interface with another authentication method (like LDAP or OAuth).

Either way, this is quite a challenging project, so overall I would really make sure you think it through.

Hi @remie,
Thank you for reply.
I know that implementing sperate authentication is a challenging task, so I am looking for easier way to meet my requirements. Can I authenticate users (confirm their logins and passwords) using Jira API (users have their own accounts in Jira) and after that redirect it to my portal before authorization stage (checking permission to access Jira)?

Yes, that should be possible. If you have them post their username/password to your service, you can use those credentials to call the Jira REST API (and specifically https://docs.atlassian.com/software/jira/docs/api/REST/8.4.1/#api/2/myself-getUser), after which you redirect them to your portal (preferably with a custom generated JWT token to keep the session authenticated).

Did you mean this endpoint: https://docs.atlassian.com/software/jira/docs/api/REST/8.4.1/#auth/1/session-login ? Your endpoint just return already logged user. When I call /session-login with credentials of user, which do not have access to Jira, the response is: 403 and I get header: X-Seraph-LoginReason: AUTHENTICATION_DENIED.

It really depends on what you are trying to achieve, maybe I don’t fully understand your requirements.

If you are trying to create your own login screen which will redirect users to your portal, you can do so by creating

  1. A servlet which serves your login screen
  2. A REST API

The REST API will consume the username/password from the login screen (preferably via HTTPS POST) and does an API call to the Jira REST API with impersonation (using the username/password credentials from the request). By calling the myself endpoint, you will know if the username/password combination is correct if it returns user information.

From there on, you can redirect the user to either an error page (incorrect credentials) or to your portal (passing a custom JWT token). From your portal, you call the REST API using your custom JWT token for authentication. Given that the REST API is running in the context of Jira, you no longer need to impersonate the user.

This is a viable solution for having your own login screen and redirecting users to your own portal.

Now if you do not want to proxy the Jira (programmatic) API, there is some additional magic in place where you actually continue to impersonate the user when proxying the Jira API. But that is more complex.

Or maybe I should be more clearly.

First of all, is it possible to use login screen from Jira application, authenticate users who do not have permission to logging according to their Jira Application Acces configuration but provide correct credentials and in that case redirect them to my screen as already authenticated? I noticed similar behaviour for Service Desk users, who are not in jira-software-users group.

Quick disclaimer: I’ve never implemented this, so this is all theoretical based on documentation and Jira source code.

My suggestion would be to look into the Jira LoginEvent. This event is fired when the user is logged in successfully. Unfortunately, it is only fired if the LoginReaon is not of type AUTHENTICATION_DENIED, AUTHENTICATED_FAILED or AUTHORISATION_FAILED, so it might be possible that the event is not fired when they do not have Jira Application Access.

BTW, you could always check the source code for Jira Service Desk to see how they implemented it there.

Hi Adrian,
To me, it sounds a bit like you do actually want some kind of a Single Sign On (SSO) Service, i.e. all users can use them same place to login and will then be authenticated for different applications.
If that’s what you are looking for, I strongly suggest that you do not develop that yourself. It a) is quite a bit of work and b) as Remie mentioned you can easily run into security issues.

There is a wealth of SSO tools out there, too many to mention in a single post. And quite a lot of them will integrate with Jira, so that you could have Jira users and users of your platform use the same login page.

I checked that, and you are right, the Jira LoginEvent is fired only when the user logged in successfully and have Jira Application Access, so unfortunately it won’t help me. I will take closer look to Jira Service Desk source code, maybe I will find out something more.

Hi @osiebenmarck,
Thank you for your response. You mentioned about authentication service, but I am not sure that I am looking for something like this at the moment. First, I would like to know if there is any way to avoid it using Jira API. If I would be able to view my page for users who have account in Jira and provide correct credentials, but do not have Jira Application Access privilages it meets my requirements. They do not have to see Jira pages as well, only my own pages.

Hi This sounds very much like the way Service desk is implemented. I.e. customer can hive logins and access to a portal but no application access.

Hi @listertuk,
Exactly, but Service Desk adds his own Application to Jira, I think I am not able to do the same in my addon.