Imaginge two independent applications A and B both allowed to authenticate users against Crowd through two application "links".
Is it a proper workflow that application A generates a crowd-token and uses it to directly request (API) functions of application B with A's crowd token sent as cookie.
It works of course, but is it secure and appropriate?
1 answer
Comments for this post are closed
Community moderators have prevented the ability to post new answers.
Atlassian Team members are employees working across the company in a wide variety of roles.
October 28, 2012 edited
The recommended way of connecting Atlassian applications is through Application Links. Once applications have been configured to trust one another you will be able to use the applinks API to make calls between applications on behalf of users.
I'm developing an application with NodeJs that will connect to Jenkins. With Node I can't use the SPI and the Jenkins crowd2 authentication Plugin does not implement the SPI (even though is should maybe) (it uses the Crowd HTTP Client).
Actually my question was about the plain technical approach using my token to request the other application. So the basic question remains: may I treat a request as authenticated if the token shipped with it is valid?
My application has generated a Token with:
POST /session with username/password
returns ABCDEFG. The other application (e.g. Jenkins) should check it with:
POST /session/ABCDEFG
and will get 200 OK if the Token is valid?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.