Which app method is efficient to create third party integration applications(connect or forge)?

Hai all,
I am trying to create a third party integration application in JIRA which is need to show in jira issue contents page. I will explain my requirements. Based on my requirements, kindly tell your suggestions.

  1. I need to get API key from the user after installation of the app from atlassian marketplace and need to store the api key securely without using own DB to make some third party API requests.

  2. Need to perform API request using the API key that i stored and show the response data in jira issue contents page.

These are my requirements. To accomplish my requirements, which option is better(connect app or forge app).

Thanks in advance…

At this stage, for any new app development, I would strongly advise you to go with forge.

The only caveat to take into consideration is that forge its still actively being developed and lacks some of the features available to developers using connect.

As such, it might be possible that down the road you will find yourself in need of features that are missing in forge. At that point you might need to reconsider.

Hopefully, given the speed of development by the forge team, you will not have to wait long for feature parity and you’ll never have to question your choice.

I hope this makes sense.

2 Likes

Hai @remie Thanks for your reply. I am also chose the same option that you said. Now i am searching how to store an api key securely without using own db. If you have any idea in this case, kindly tell your suggestion.

While Forge does have a storage option - it is not intended for credentials:
https://developer.atlassian.com/platform/forge/runtime-reference/storage-api-reference/


You should avoid using the app Storage API for storing the following types of data:
Files
Secrets and credentials

So you’ll either need to abstract out the storage of the keys to another service or switch to connect (and everything it entails).

2 Likes

Hai @danielwester Thanks for your reply. It is suggest that not to store confidential data in app properties and entity properties. that’s why i move to forge to get any feature that is missing in connect. Now i have one doubt. Can i store api key in user properties?
If it’s possible,

  1. Is it safe to store api key in user properties?
  2. shall i retrieve logged in user’s user properties while page loading?

User properties shouldn’t be used for that. User properties are readable by the admin, the user AND any app that uses the ACT_AS_USER scope.

If you’re storing user specific access keys to third party keys - you’ll need to handle the storage of those yourself.

/Daniel

2 Likes

If there any possibility to add encryption in api keys and store in session storage? If possible, is it safe to implement?

Hi @SuryaA , @remie and @danielwester ,

If you want to use Forge, you could possibly create and store a key using a secure environment variable (forge variables:set --encrypt myCryptoKey cryptoSecret) and then use this to encrypt/decrypt data that could be stored using the Forge storage API.

Regards,
Dugald

Hai @dmorrow Thanks for your reply. Is it possible to store user credentials securely with forge. can you please send any reference document to do that?

EDIT: I misunderstood @dmorrow message. He was referring to how you can securely store encryption keys that can be used to encrypt data that you want to store in Forge Storage API.

— please ignore this :arrow_heading_down:

I think the goal in this case is to allow the storage of a per user / per instance API key / personal access token to a 3rd party service. Or alternatively a OAuth refreshToken that would allow the app to access that 3rd party service on their behalve. So it’s not a known secret from the vendor, but something that the user would provide. Using forge variables:set is not really scalable in this scenario :smiley:

Hai @remie @dmorrow
What about to encrypt the API key and split the private key and the encrypted token into two different locations (private key into user properties and the encrypted token into DB) that way it can be more secure by making sure only the app has access to both the locations. Is this efficient to my requirements? Is it possible to do like this?
I don’t have any option. That’s why i chose to use own DB.