QSH and JWT for JIRA connect plugin

Been struggling with this for quite a while. My first plugin is working nicely, but I have been ignoring the qsh values. Now looking to tighten security so I want to verify the qsh and signature of the jwt token.

Struggling to recreate the qsh of the call by the Atlassian server:

My server tells me that atlassian appends fields as follows:

/tenant_settings?user_id=admin&user_key=admin&tz=Europe%2FLondon&loc=en-US&xdm_e=https%3A%2F%2Fmyapp.atlassian.net&xdm_c=channel-com.myapp.jirapi-1__tenant-settings&cp=&xdm_deprecated_addon_key_do_not_use=com.myapp.jirapi-1&lic=none&cv=1.174.0&jwt=xxxxx

I decode the jwt and get a nice object with a qsh value. But when I try to recreate the qsh using the url above I get a different value for qsh.

Am using a standard recommended library. Any tips would be most gratefully received.

@colin.hammond - which library are you using? There is the Node.js library here that helps you to create & decode JWT tokens.

1 Like

I am using the PHP Firebase library.

For recreating qsh, did you reorder the query parameters based on their percent-encoded names? In the Understanding JWT for Connect apps documentation, kindly navigate to Creating a query string hash section for a detailed instruction on how to generate qsh. I missed this part when I was starting out, might be the same case you’re experiencing.

Cheers,
Ian

Many thanks for that suggestion Iragudo,

I also use a QSH library from here


that does the sorting when it creates the QSH, so I don’t think that is the problem.

Regards
Colin

When Atlassian calculates the qsh to send, does it include all of the above query parameters?

Can anyone help me answer this question?

I have asked the question on this forum. I have contacted Atlassian to see if I can pay to get the answer. I have contacted five Atlassian premium partners in the UK. I there anybody out there who has built a JIRA connect app who is prepared to help me for a few hours? Happy to pay for your time.