I have made an atlassian connect application for Bitbucket and I have implemented JWT token validation, but there's a problem.
The payload I get when someone installs the app for the first time on their account simply lacks Authorization header and thus JWT token. Unlike what the documentation claims, this header is absent not just on first installation globally but on every first installation for each account.
The question is, how do I verify these installed events? When using a registered app I know the shared secret from my console, and I can check if shared secret given in the payload matches the one in my configuration. But if comparing shared secrets is sufficient for validation, why the whole process with JWT and qsh claim? The install hook request lacks a JWT token and thus it doesn't have any protections at all, it seems.
I do not know what is the general idea here.
Hi everyone, We are looking to learn more about development teams’ workflows and pain points, especially around DevOps, integrations, administration, scale, security, and the related challeng...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event