When using the JIRA Cloud REST API (creating issues, getting projects, etc) from our Connect App, we originally used a JWT in a “Authorization” header. i.e. Authorization: Bearer <JWT>
I believe we must have changed something (app scope?) and started receiving error responses. We added the JWT as a URL Param and it succeeded, i.e. POST /rest/api/2/issue?jwt=<JWT> returns a 200 and a created issue.
The error we get when using the JWT in a header when attempting to create an issue is:
HTTP/2.0 400 Bad Request
{"errorMessages":[],"errors":{"summary":"Field 'summary' cannot be set. It is not on the appropriate screen, or unknown.", "description": "Field 'description' cannot be set..."}}
Which leads me to believe we’re not providing the correct context in the JWT. However, I don’t understand why using the same JWT (aside from timestamps) works as a URL param for the same endpoint.
I’ve verified the payload in the JWTs used in both cases are the same, i.e.
@andy.ennamorato, so you are saying that when using Authorization: Bearer you get the 400 error for the summary field? That sounds very odd.
As to the choice of HTTP authentication scheme name, I’m not familiar with the history behind that. But I don’t think the JWT tokens used by apps to authenticate with Atlassian product APIs really meet the definition of Bearer tokens:
They are issued by clients, not by Atlassian.
They do require possession of cryptographic key material.
Additionally, although not strictly violating the definition of Bearer tokens, these tokens are transparent and typically meant to be single-use.
If it helps at all, per the roadmaps for our Developer Platform and for the Jira Cloud Platform API, we are finally introducing support for standard OAuth 2.0 flows which aims to replace many current usages of JWT authentication.
As far as my understanding goes we use Authorization: JWT ... unless we’re impersonating an end-user in which case we make a request to https://auth.atlassian.io/oauth2/token first and use part of the response as Authorization: Bearer ... when speaking to Atlassian.