I am working on a requirement where we are going to use OAuth 2.0(3LO) flow for authentication purpose with one of our applications. I was successfully able to generate Access token by going through the steps mentioned here: here: https://developer.atlassian.com/cloud/confluence/oauth-2-3lo-apps/
I want to validate above generated access token in backend application and to do the same we need a private and public key(or IssuerSigningKey key). I am not sure where i can find the same?
Thanks much in advance !
Thanks for the answer, I will provide you with detailed information for my query.
I have created OAuth 2.0 integration app at https://developer.atlassian.com/ by following all the steps mentioned at https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/
Now there are two steps involved to get JWT access token to make Jira API calls
1. Start the authorization flow by directing the user to the authorization URL https://auth.atlassian.com/authorize with all required parameters.
It will provide authorization code which is again a JWT token only and we can validate the signature of this authorize code by client_secret mentioned in the settings of OAuth 2.0 integration app. We can simply visit https://jwt.io/ and in the signature provide client_secret and it will say JWT token signature is valid.
2. Now to get the actual access token(which is in JWT format only) we need to make another call at https://auth.atlassian.com/oauth/token with all required parameters. If successful we will get an access token and now if i simply visit https://jwt.io/ and paste this access token. In the Verify signature part it will ask for a public and private key pair. Now my question is where I can get the same. I assumed public key would be client_id and private key would be client_secret mentioned in the settings of OAuth 2.0 integration app but it is not the case.
I am looking for this private/public key because I just want to validate the signature of this access token without making any further Jira call.
Note: We are using the organizational level Jira cloud.
So what happens when you create the key pair you need?
This is the point I am not creating any key pair from my side. I am assuming that I should get the same from OAuth 2.0 integration app settings.
If you are saying I should generate key pair at my side, I can do the same but the question is how internally it will be linked to OAuth 2.0 integration app created at https://developer.atlassian.com/console/myapps/.
Note: I am using Jira cloud as a developer.
May be I am missing something here. Could you please guide me to do it in the right way ?
As you say "In the Verify signature part it will ask for a public and private key pair."
That's where you link them.
I was going through one of the posts where person mentioned "the format of the access token is an implementation detail, and we do not give out the public or private keys associated with it. Our code takes care of verifying the access token."
What's that then ?
I recently had the same question how to verify a token created via OAuth2 3LO as decribed above.
Atlassian is signing the tokens using RS256 which means they are using a private key to sign it and everyone should be able to verify it with a public key.
So the question is how to get the public key and unfortunately there is no documentation about that from Atlassian.
Luckily there is a general requirement by OpenID providers to provide the configuration file which contains these information: https://auth.atlassian.com/.well-known/openid-configuration
The public keys for each "kid" can be found in the "jwks_uri" setting which in our case points to https://auth.atlassian.com/.well-known/jwks.json
To verify the token you have to do the following:
There are also general JWT libraries available which are doing that key lookup automatically when providing the jwks uri.
Probably that helps.