Rest API Authentication across multiple sites

I’m trying to figure out is it’s possible for my web application to perform actions in the Jira API across multiple users.

It seems that I have to have the site name before I can begin the OAuth process. Is it possible to capture that without asking the user to enter it as text?

Before answering your questions directly, perhaps some context would help. JIRA isn’t one big multi-tenant application like Netflix or Google. It grew up as a self-hosted product, so even in the transition to cloud, it’s better to think of many JIRA instances, each with it’s own site name. Although JIRA Cloud is growing fast, there are still many customers who self-host. So, whether self-hosted or cloud, for a given JIRA instance, you can perform actions for and even acting as multiple users. But your application needs to establish a trust relationship with each instance.

Many integrations that target both self-hosted and cloud use OAuth 1.0 to establish a trust relationship. OAuth 1.0 and Basic auth are the only options that work for both. But, I’m unaware of any way automate the creation of OAuth 1.0 consumers. As such, OAuth 1.0 pushes the burden on to JIRA admins to fill out some fields that create the trust relationship with your application.

In JIRA Cloud (but only for cloud), this is solved with Atlassian Connect, which does automate the negotiation of a trust relationship. After that negotiation, the auth in both directions is JWT, signed with a shared secret. All of this requires implementing the protocols unique to Atlassian Connect either in your application, or as an intermediary service.

It seems that I have to have the site name before I can begin the OAuth process. Is it possible to capture that without asking the user to enter it as text?

Atlassian Connect pulls your application into JIRA, without a user needing to know their site name. Otherwise, there’s no way to find a site name from a user. Indeed, a user may belong to multiple sites. I know I do, and my username/password can be different in different sites.

3 Likes

Thanks!

Since we’re providing yet another way for users to visualize their data it still looks like the best way to access this is still to ask the user for their sitename/username/password, and use basic auth.

This way seems to be the only our customers won’t have to contact their Jira Admin for access to a chart tool.

Yes. Basic auth is a common pattern for building integrations because the simple REST API is common to both JIRA Cloud and Server. I work with many SaaS vendors for whom REST is the best first step so you’re in good company. :wink:

2 Likes