My application is connected with JIRA via Application Link and is using OAuth scheme for user authentication. So far so good. The main idea of app was to continiously provide info in realtime about issue changes to the application user. For this purpose, I was using rest api for creating a webhook during configuration process in app. Using webhook rest api requires JIRA Administrator permissions, and this is constantly frightening some users during the OAuth dance, because they believe that app can "hack" JIRA instance.
One way to solve this is to rid off the automatic webhook creation during configuration flow, and ask user to create it themselfs.
But, maybe there is a way to create such JIRA Administrators like group, whose users can only have read permissions on jira issues, but can work with webhooks via rest api?
I don't think that is currently possible. A possible approach is to build a simple add-on for JIRA and move that webhook creation logic into the add-on which internally exposes a single api for your app to consume. You can then have a validation in the api to check for `current logged in user` to belong to a specific group in JIRA to determine if the user has rights.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot