Hi,
I'm implementing an app which will make use of the REST API of JIRA. The app doesn't have it's own users, but I'd like to use JIRA users directly, as the functionality of the app is tightly bound to JIRA.
For this I'd like to use the 3 legged OAuth mechanism present in JIRA for user authentication and authorization. I've implemented most of it and it's almost working, but a user which has already granted access to my consumer app will have to grant access again and again, every time he logs in. That will create a bunch of active access tokens in the JIRA OAuth Token list for that user. I would have expected that once a user has granted access to a consumer app (and as long as the access token is valid), he will not be asked again for granting access to the same consumer app.
Is there something to configure or maybe something I've missed? My implementation is taken from this answer https://answers.atlassian.com/questions/172760/is-there-any-jira-oauth-implementation-example-in-net
Cheers,
Tudor
Community moderators have prevented the ability to post new answers.
But your described behaviour doesn't happen with other providers.
I have built an app that uses github's oauth, and it worked like expected, i don't have to authorize over and over. I'm confused by that behaviour with Jira, too.
Since the Consumer has to be registered in Jira, it should know that for this consumer a valid token still exists, and shouldn't re-ask to authorize the app.
Hi Stephan,
Thanks for your comment. Your're right, but at the moment this is the only explanation I can come up with.
From a theoretical point of view OAuth should not be used for authentication, although the only practical difficulty in case of JIRA is the fact that it always sends another access token for an already authorized consumer. Maybe there is still a workaround for this and someone can explain it, but due to the lack of real documentation provided by Atlassian on OAuth for JIRA this is my only explanation at the moment.
Cheers,
Tudor
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi raivil, I think you should not use this oAuth for authenticating users in your own system. You should have user management in your own system, separate from JIRA. With the use of the oAuth token you can then request resources from JIRA via the REST API. If you really need single sign on, I think you'll need Crowd. Cheers, Tudor
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey Tudor, Thanks for replying. I wish my customer could/want to use crowd too. I`m evaluating some solutions, and if I could use oauth without every time getting a auth page would be perfect. I'll think about alternatives. best, Ronaldo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
After some more reading I think I can try and answer my own question.
The implementation I'm trying to do is not correct and this is because OAuth is NOT an authentication protocol, it is an authorization one. It means that the consumer app's local users will be given authorization to certain resources on JIRA. When a local user has an access token, this will be stored in that local account (db) and used for later access to the JIRA resources. The OAuth dance should not happen again for a user which already has an active token. That basically means that I need to have local users in my consumer app if I want to use OAuth to access JIRA.
The functionality which I was looking for in my initial question can be achieved through the OpenID protocol, which provides an authentication mechanism. The OpenID is implemented in the Atlassian Crowd server.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.