Problems with Jira Cloud authentication on my Jira Cloud App

matti.kiviharju · April 2, 2021, 12:52am

With PHP code below:

class JsonController extends Zend_Controller_Action
{
	
	public $AUTHORIZATION_SERVER_URL = "https://auth.atlassian.io";
	public $EXPIRY_SECONDS = 60;
	public $GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
	public $SCOPES = "READ WRITE ACT_AS_USER"; // case-sensitive space-delimited as per the specification

# some code here

$appKey = $config->appkey;
		
		//var_dump($customer);
		//echo $domain->customer->domain;
		$file = file_get_contents( $applicationPath .'/../customers/'.$customer['domain'].'/installed.txt');
		//echo $file;
		$phpNative = Zend_Json::decode($file);
		$secret = $phpNative['sharedSecret'];
		$clientKey = $phpNative['oauthClientId'];
		
		$iat = (integer) time();
		$exp = (integer) $iat + 60;
		
		//echo $iat;
		
		$token = array(
				"iss" => 'urn:atlassian:connect:clientid:'.$clientKey,
				"sub" => 'urn:atlassian:connect:useraccountid:'.$appKey,
				"tnt" => 'https://'.$customer['domain'],
				"aud" => $this->AUTHORIZATION_SERVER_URL,
				"iat" => $iat,
				"exp" => $exp
		);
		
		try {
			$assertion = JWT::encode($token, $secret);
		} catch (ExpiredException $e) {
			echo $e->getMessage();
		}
		
		$config = array(
				'adapter'   => 'Zend_Http_Client_Adapter_Curl',
				'curloptions' => array(CURLOPT_FOLLOWLOCATION => true),
		);
		
		//https://oauth-2-authorization-server.services.atlassian.com/oauth2/token
		
		$uri = $this->AUTHORIZATION_SERVER_URL . '/oauth2/token';
		
		//echo $uri;
		
		$client = new Zend_Http_Client($uri, $config);
		
		// Setting several POST parameters, one of them with several values
		$client->setParameterPost(array(
				'scope' => $this->SCOPES,
				'assertion' => $assertion,
				'grant_type' => $this->GRANT_TYPE
		));
		
		//$client->setParameterPost(array('grant_type' => rawurlencode('urn:ietf:params:oauth:grant-type:').'jwt-bearer&scope='.rawurlencode('READ WRITE').'&assertion='.$jwt));
		
		$client->setMethod(Zend_Http_Client::POST);
		$response = $client->request();
		
		$body = $response->getBody();
		
		echo $body;

I successfully get JSON response below:

{"access_token":"xxxx","token_type":"Bearer","expires_in":900}

Bet when I try to use access token in further functions I get only this:

{"error": "Add-on 'fi.i4ware.plugin.timesheet.tfj' disallowed to impersonate the user because 'no valid active user exists'"}

I just try to things with this documentation but with no 100 % success:

https://developer.atlassian.com/cloud/jira/platform/user-impersonation-for-connect-apps/

What to do?

nmansilla · April 2, 2021, 2:36am

Hi @matti.kiviharju,

"sub" => 'urn:atlassian:connect:useraccountid:'.$appKey,

Instead of $appKey that should be the accountId of the user.

On another note, you need to replace the authorization server hostname auth.atlassian.io with oauth-2-authorization-server.services.atlassian.com.

The deprecation notice from July 2020 is here.

matti.kiviharju · April 2, 2021, 5:27am

Ok, thanks.

How do I get user’s account id? I need a logged in user’s account id because I want make feature for my Timesheet App to see who is logged work hours and how is not on Ms Excel and Adobe PDF work hour reports.

And second question is do I need these as in screenshot below for my App in this case?

matti.kiviharju · April 3, 2021, 7:57am

Right way to get Logged in user’s account id is below:

AP.user.getCurrentUser(function(user) {
    var userAccountId = user.atlassianAccountId;
    //your App JavaScript source code here
});

Use variable userAccountId on hidden forms field names attributes and/or AJAX extra parameters on POST/GET posts. Not on URLs for security meanings.