Confluence REST API token authentication

I'm looking to build an internal helper app using the Jira REST API.  Basically to automate/make easier some things that are a pain in Jira (WHy you can't have either fixVersions or Components globally I do not understand!)

 

The docs are quite against using cookie-based auth with the REST API.  However, my requirements are that:

  • The user of my app has to log in/authenticate themselves.  They should do so using their Jira credentials
  • The app then runs as that suer, so has pemrissions, etc. appropriate to that user and any actions are seen as being by that user.

 

I don't really see why cookie-based isn't actually the most secure here?  As I see it the options are

  • OAUTH. I understand that you can impersonate a user when using OAUTH authenticaiton (https://community.atlassian.com/t5/Answers-Developer-Questions/How-do-you-impersonate-a-user-with-JIRA-oauth/qaq-p/476116).  But the problems I see are:
    • Impersonation isn't authentication
    • I guess I could authenticate by posting to auth/session, but then I'd have to implement session handling directly myself to keep track of which user it is for that session - all the drawbacks of cookie-based authentication and extra work
  • Basic Authentication.  I guess this would be as the correct user, but it means I have to have a session (again, all the drawbacks) and also store the users password in that session, which should be a definite no-no

 

Is there something I'm missing, or are the docs just missing this use case when they recommend not using cookie-based?

 

Know about their current Jira session so they don't need to re-authenticate would be best of course, but if I want that I guess I need to bit the bullet and write a proper plugin, isntead of a quick, external, helper app :)

 

I'm probably going to go ahead and implement with cookies, just wondering what if anything I've msised here.

0 answers

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

2,958 views 12 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot