Refresh JWT within Atlassian Connect app?

When visiting an Atlassian Connect app from within e.g. Jira, the iframe URL provides a JWT in the URL. This JWT eventually expires after a few minutes.

When developing a single page app which usually does not require page reloading, however, the JWT will expire very quickly while using the Connect App. How can I refresh the JWT without having to reload the website?

Hi @divineengineering ,

You can not refresh the JWT provided in an app iframe URL. When your app iframe first loads, it should validate the JWT.

Your app can use the AP.context module. AP.context.getContext() retrieves context information about the app iframe which can then be used to make API calls via AP.request. AP.context.getToken() is designed for transferring context to your app back end. The JWT returned from AP.context.getToken() has a different format and longer TTL than the iframe JWT.

Regards,
Dugald

Thank you, Dugald. So as I understand there is no way of refreshing the JWT provided to the iframe. How are full page Connect Apps supposed to authenticate towards Jira over longer periods of time, then? Could you provide some documentation that would apply to this use case?

Hi @divineengineering ,

Would you be able to list the sequence of steps that describes the scenario you are concerned about in order to explain why you think you need the JWT refreshed.

Regards,
Dugald

Certainly.

  1. The user initially navigates to the Atlassian Connect app, which opens up the iframe for the first time.
  2. The newly created JWT provided via the iframe’s query parameters allows the Atlassian Connect app to authenticate the user towards the app’s own backend servers. To my awareness, this is the only piece of information that identifies the app’s current user.
  3. The same JWT is subsequently used for any requests that are being made from the Atlassian Connect client to its backend server.
  4. Since the app is a react-based single page app, navigating within the app does not cause any part of the page to reload. Therefore, the supplied JWT never refreshes. Eventually, it will expire and cause all following requests to fail since the user can no longer be authenticated.
1 Like

I suggest that you do not re-use the JWT that Atlassian used to authenticate a request to your app for your own requests to your backend services.

When you render your app’s iframe then you can also render in it either a simple session token or you can generate your own JWT token that you can use to authenticate the requests from your app’s frontend to your backend services.

Kind regards,
Raimonds

2 Likes

Also note that since your app iframe can potentially be tampered with, you need to be careful about what your app server assumes is true versus what it needs to validate. This is the reason I mentioned above the use of AP.context.getToken() to transfer client side context to your app server in a tamper proof manner. You may also like to read Retrieving context using AP.context.getToken().

1 Like

Thank you, this makes a lot of sense. I will implement it that way.

1 Like

@dmorrow It looks like AP.context.getToken() is perfect to authenticate client-side iframe requests to our Connect back end. Is there a reason “make your own token” is marked as the solution or is it safe to use this Connect provided mechanism?

Is there a user identifier in the context JWT?