It really depends what you are trying to achieve. Confluence passes a jwt
query parameter to the iframes of your modules (more info about JWT). You can send this JWT along with the requests to your backend. The JWT expires after a while, if you want to make a request some time after the iframe has loaded, you can generate a new JWT using AP.context.getToken()
.
On the server side, you can decode and verify the token. The ID of the logged in user is stored in the sub
property of the JWT. To decode and verify the token, Atlassian provides a library called atlassian-jwt-js. Personally, I often run into problems with Atlassian libraries and find them to be coded in a rather unusual way, so I rather use a generic JWT library like jsonwebtoken.
You have to verify the JWTs against the sharedSecret
that you received with the installed
lifecycle event for that particular Confluence instance (the iss
property of the JWT contains the clientKey
, which you can use to look up the particular instance in your database where you persist the lifecycle payload).
You should make sure that you really understand the way JWTs work before going live with such an authentication mechanism.