Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

What would be the private and public key to validate JIra access token ?

Nikhil Dhiman January 6, 2023

I am working on a requirement where we are going to use OAuth 2.0(3LO) flow for authentication purpose with one of our applications. I was successfully able to generate Access token by going through the steps mentioned here:  here: https://developer.atlassian.com/cloud/confluence/oauth-2-3lo-apps/

I want to validate above generated access token in backend application and to do the same we need a private and public key(or IssuerSigningKey key). I am not sure where i can find the same?

Thanks much in advance !

1 comment

Comment

Log in or Sign up to comment
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 6, 2023

Welcome to the Atlassian Community!

I am not sure what you mean by "validate access token"?

The private and public key pair should be created for your account.  If you're on a proper operating system, you can generate a new pair really easily by just running "ssh-keygen" on the command line.

Like Fides IT Admin Account likes this
Nikhil Dhiman January 7, 2023

Hi @Nic Brough -Adaptavist- ,

Thanks for the answer, I will provide you with detailed information for my query.

I have created OAuth 2.0 integration app at https://developer.atlassian.com/ by following all the steps mentioned at https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/


Now there are two steps involved to get JWT access token to make Jira API calls

1.  Start the authorization flow by directing the user to the authorization URL https://auth.atlassian.com/authorize with all required parameters.
It will provide authorization code which is again a JWT token only and we can validate the signature of this authorize code by client_secret mentioned in the settings of OAuth 2.0 integration app. We can simply visit https://jwt.io/ and in the signature provide client_secret and it will say JWT token signature is valid.

2. Now to get the actual access token(which is in JWT format only) we need to make another call at https://auth.atlassian.com/oauth/token with all required parameters. If successful we will get an access token and now if i simply visit https://jwt.io/ and paste this access token. In the Verify signature part it will ask for a public and private key pair. Now my question is where I can get the same. I assumed public key would be client_id and private key would be client_secret mentioned in the settings of OAuth 2.0 integration app but it is not the case.

I am looking for this private/public key because I just want to validate the signature of this access token without making any further Jira call.

Note: We are using the organizational level Jira cloud.

Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 7, 2023

So what happens when you create the key pair you need?

Nikhil Dhiman January 7, 2023

Hi @Nic Brough -Adaptavist- 

This is the point I am not creating any key pair from my side. I am assuming that I should get the same from OAuth 2.0 integration app settings.

If you are saying I should generate key pair at my side, I can do the same but the question is how internally it will be linked to OAuth 2.0 integration app created at https://developer.atlassian.com/console/myapps/

Note: I am using Jira cloud as a developer.

May be I am missing something here. Could you please guide me to do it in the right way ?

Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 8, 2023

As you say "In the Verify signature part it will ask for a public and private key pair."

That's where you link them.

Nikhil Dhiman January 8, 2023

Hi @Nic Brough -Adaptavist- 

I was going through one of the posts where person mentioned "the format of the access token is an implementation detail, and we do not give out the public or private keys associated with it. Our code takes care of verifying the access token."

 

What's that then ?

Thomas Dedek
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
June 1, 2023

Hi @Nikhil Dhiman

I recently had the same question how to verify a token created via OAuth2 3LO as decribed above.

Atlassian is signing the tokens using RS256 which means they are using a private key to sign it and everyone should be able to verify it with a public key.

So the question is how to get the public key and unfortunately there is no documentation about that from Atlassian.

Luckily there is a general requirement by OpenID providers to provide the configuration file which contains these information: https://auth.atlassian.com/.well-known/openid-configuration

The public keys for each "kid" can be found in the "jwks_uri" setting which in our case points to https://auth.atlassian.com/.well-known/jwks.json

To verify the token you have to do the following:

There are also general JWT libraries available which are doing that key lookup automatically when providing the jwks uri.

Probably that helps.

TAGS
AUG Leaders

Atlassian Community Events