When visiting an Atlassian Connect app from within e.g. Jira, the iframe URL provides a JWT in the URL. This JWT eventually expires after a few minutes.
When developing a single page app which usually does not require page reloading, however, the JWT will expire very quickly while using the Connect App. How can I refresh the JWT without having to reload the website?
Hi @divineengineering ,
You can not refresh the JWT provided in an app iframe URL. When your app iframe first loads, it should validate the JWT.
Your app can use the AP.context module.
AP.context.getContext() retrieves context information about the app iframe which can then be used to make API calls via AP.request.
AP.context.getToken() is designed for transferring context to your app back end. The JWT returned from
AP.context.getToken() has a different format and longer TTL than the iframe JWT.
Thank you, Dugald. So as I understand there is no way of refreshing the JWT provided to the iframe. How are full page Connect Apps supposed to authenticate towards Jira over longer periods of time, then? Could you provide some documentation that would apply to this use case?
Hi @divineengineering ,
Would you be able to list the sequence of steps that describes the scenario you are concerned about in order to explain why you think you need the JWT refreshed.
I suggest that you do not re-use the JWT that Atlassian used to authenticate a request to your app for your own requests to your backend services.
When you render your app’s iframe then you can also render in it either a simple session token or you can generate your own JWT token that you can use to authenticate the requests from your app’s frontend to your backend services.
Also note that since your app iframe can potentially be tampered with, you need to be careful about what your app server assumes is true versus what it needs to validate. This is the reason I mentioned above the use of AP.context.getToken() to transfer client side context to your app server in a tamper proof manner. You may also like to read Retrieving context using AP.context.getToken().
Thank you, this makes a lot of sense. I will implement it that way.
@dmorrow It looks like AP.context.getToken() is perfect to authenticate client-side iframe requests to our Connect back end. Is there a reason “make your own token” is marked as the solution or is it safe to use this Connect provided mechanism?
Is there a user identifier in the context JWT?