I have made an atlassian connect application for Bitbucket and I have implemented JWT token validation, but there's a problem.
The payload I get when someone installs the app for the first time on their account simply lacks Authorization header and thus JWT token. Unlike what the documentation claims, this header is absent not just on first installation globally but on every first installation for each account.
The question is, how do I verify these installed events? When using a registered app I know the shared secret from my console, and I can check if shared secret given in the payload matches the one in my configuration. But if comparing shared secrets is sufficient for validation, why the whole process with JWT and qsh claim? The install hook request lacks a JWT token and thus it doesn't have any protections at all, it seems.
I do not know what is the general idea here.
Hi everyone, The Cloud team recently announced 12 new DevOps features that help developers ship better code, faster ! While we’re all excited about the new improvements to Bitbucket ...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events