Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Why is a user always asked to Allow/Deny access for OAuth consumer app?

tudor oprea
tudor oprea December 4, 2013

Hi,

I'm implementing an app which will make use of the REST API of JIRA. The app doesn't have it's own users, but I'd like to use JIRA users directly, as the functionality of the app is tightly bound to JIRA.

For this I'd like to use the 3 legged OAuth mechanism present in JIRA for user authentication and authorization. I've implemented most of it and it's almost working, but a user which has already granted access to my consumer app will have to grant access again and again, every time he logs in. That will create a bunch of active access tokens in the JIRA OAuth Token list for that user. I would have expected that once a user has granted access to a consumer app (and as long as the access token is valid), he will not be asked again for granting access to the same consumer app.

Is there something to configure or maybe something I've missed? My implementation is taken from this answer https://answers.atlassian.com/questions/172760/is-there-any-jira-oauth-implementation-example-in-net

Cheers,

Tudor

Watch
Like # people like this
1816 views

2 answers

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

0 votes
stephan_wentz
stephan_wentz December 8, 2013

But your described behaviour doesn't happen with other providers.

I have built an app that uses github's oauth, and it worked like expected, i don't have to authorize over and over. I'm confused by that behaviour with Jira, too.

Since the Consumer has to be registered in Jira, it should know that for this consumer a valid token still exists, and shouldn't re-ask to authorize the app.

View More Comments
tudor oprea
tudor oprea December 9, 2013

Hi Stephan,

Thanks for your comment. Your're right, but at the moment this is the only explanation I can come up with.

From a theoretical point of view OAuth should not be used for authentication, although the only practical difficulty in case of JIRA is the fact that it always sends another access token for an already authorized consumer. Maybe there is still a workaround for this and someone can explain it, but due to the lack of real documentation provided by Atlassian on OAuth for JIRA this is my only explanation at the moment.

Cheers,

Tudor

Like
Ian Kelly1
Ian Kelly October 8, 2014

Hey Stephen - did you resolve your issue at all? I'm seeing exactly the same thing, and I'm wondering whether I need to use Crowd or not.

Like
raivil
raivil March 20, 2015

I have the same issue here. Working with Jira OndDemand. Every time a user logs in the authorization page shows up.

Like
tudor oprea
tudor oprea March 20, 2015

Hi raivil, I think you should not use this oAuth for authenticating users in your own system. You should have user management in your own system, separate from JIRA. With the use of the oAuth token you can then request resources from JIRA via the REST API. If you really need single sign on, I think you'll need Crowd. Cheers, Tudor

Like
raivil
raivil March 23, 2015

Hey Tudor, Thanks for replying. I wish my customer could/want to use crowd too. I`m evaluating some solutions, and if I could use oauth without every time getting a auth page would be perfect. I'll think about alternatives. best, Ronaldo

Like
Reply
0 votes
tudor oprea
tudor oprea December 8, 2013

After some more reading I think I can try and answer my own question.

The implementation I'm trying to do is not correct and this is because OAuth is NOT an authentication protocol, it is an authorization one. It means that the consumer app's local users will be given authorization to certain resources on JIRA. When a local user has an access token, this will be stored in that local account (db) and used for later access to the JIRA resources. The OAuth dance should not happen again for a user which already has an active token. That basically means that I need to have local users in my consumer app if I want to use OAuth to access JIRA.

The functionality which I was looking for in my initial question can be achieved through the OpenID protocol, which provides an authentication mechanism. The OpenID is implemented in the Atlassian Crowd server.

Reply
Atlassian logo
Answers Developer Questions
TAGS
AUG Leaders

Atlassian Community Events

    See all events