How to authenticate to Jira REST API

Must be noted, it appears that you cannot create an authentication token from a "Confluence Cloud connect app" to authenticate with Jira Cloud when making Jira rest API calls.
Some say that the workaround is to implement a connect app on the Jira Cloud also, but how to do the exchange etc is not documented. I assume that is one way to get a clientId and sharedSecret from Jira Cloud to use in Confluence Cloud to get the accestoken?
Or do we still have to wait for AC-2001 ?

The most confusing part in the documentation is the thin line between a "connect app" and "non connect app" which also determines if oauth 3LO or 2LO is supported and wether a JWT is currently limited to one cloud product within the Atlassian cloud ecosystem. Hence "OR" in documentation.

Although it can be accomplished by using the userid + apitoken approach, the only downside to this is that the apitoken can only be generated by the user manually.

Ofcourse there's the approach of creating two separate connect apps for Confluence Cloud and Jira Cloud, the last that only serves a oauthClientId and sharedSecret to use on the Concfluence side.

This solution needs to be revised since Basic Auth and Cookie-based Auth has been depreciated and removed from the API.

They have not been removed and I doubt they will be removed soon. The OAuth (1.0) method is terrible and at least an API token method should be added before removing BasicAuth and/or Cookie based authentication.

The method in the example requires a PEM key to the server. If I got a permanent access token from Jira how can that be used? I basically want to do what rest-oauth-client-1.0.one-jar.jar does but using python

@Don DewarSee point 2 & 3 you have your answer there.

Thanks. I finally did figure that out but now get this traceback.

./app2.py
Traceback (most recent call last):
  File "./app2.py", line 11, in <module>
    r = s.get("https://********/jira/rest/api/2/issue/*****-4313")
  File "/Library/Python/2.7/site-packages/requests/sessions.py", line 521, in get
    return self.request('GET', url, **kwargs)
  File "/Library/Python/2.7/site-packages/requests/sessions.py", line 508, in request
    resp = self.send(prep, **send_kwargs)
  File "/Library/Python/2.7/site-packages/requests/sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "/Library/Python/2.7/site-packages/requests/adapters.py", line 440, in send
    timeout=timeout
  File "/Library/Python/2.7/site-packages/urllib3/connectionpool.py", line 601, in urlopen
    chunked=chunked)
  File "/Library/Python/2.7/site-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/Library/Python/2.7/site-packages/urllib3/connectionpool.py", line 850, in _validate_conn
    conn.connect()
  File "/Library/Python/2.7/site-packages/urllib3/connection.py", line 337, in connect
    cert = self.sock.getpeercert()
  File "/Library/Python/2.7/site-packages/urllib3/contrib/pyopenssl.py", line 348, in getpeercert
    'subjectAltName': get_subj_alt_name(x509)
  File "/Library/Python/2.7/site-packages/urllib3/contrib/pyopenssl.py", line 222, in get_subj_alt_name
    for name in ext.get_values_for_type(x509.DNSName)
  File "/Library/Python/2.7/site-packages/urllib3/contrib/pyopenssl.py", line 175, in _dnsname_to_stdlib
    name = idna_encode(name)
  File "/Library/Python/2.7/site-packages/urllib3/contrib/pyopenssl.py", line 173, in idna_encode
    return idna.encode(name)
  File "/Library/Python/2.7/site-packages/idna/core.py", line 355, in encode
    result.append(alabel(label))
  File "/Library/Python/2.7/site-packages/idna/core.py", line 265, in alabel
    raise IDNAError('The label {0} is not a valid A-label'.format(label))
idna.core.IDNAError: The label Bundle_***** is not a valid A-label

which appears to be a correct error given the IDNA name has an underscore in it. (note company specific names are obscured in the traceback with asterisks). I haven't been able to find a work around for this, but that is a python community issue rather than Jira.

@Don DewarI suspect that some  library is missing for  me it worked for me using  the code  which  i have provided  in the  link  above.  I suggest  you  install pycharm  and then run your code  with   pycharm  will  show you message on  what  is missing.  Then  once you  have run  the code  go  to  >settings  > project interpreter and then  click (+ )  button to  add missing  packages.

But  make  sure you  are doing the right thing,  following  the documentation  .

[We're new here, so please forgive any newb errors, like posting too late or in the wrong location. Advice on this is very welcome ... ]

OAuth 2.0 (3LO) issues:

We are building an internal message system to display some company wide data, including the status of Jira Issues for each of our teams. We're writing this in VueJS. The data is obtained (successfully) from the Jira API, and passed to a Google Chart. Up to this point, we've been satisfied using Basic Authentication to get things up and running, but are now trying to implement OAuth 2.0. It's proving difficult. There are very few examples here and other places online, and those we've seen don't include much detail as yet.

In particular during our OAuth2.0 (3LO) authorization we are able to retrieve an authentication code successfully in step 1 as outlined in the documentation. This code is then parsed from the URL into the second 'exchange' to receive a token as outlined in step 2 in the same documentation.

Documentation: https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/

However, when trying to retrieve the token the response errors out with a 401 and is:

{"error":"access_denied","error_description":"Unauthorized"}

Multiple attempts have been made to check for syntax errors  - however the authorization and syntax we use is identical to that found in the Jira API documentation (as far as we can tell).

We are at a loss as to what could be causing this. Our code is posted below - with the user data omitted. (We're convinced it was accurate as well before deletion). Hopefully explanation and code provide enough information for some others to provide help and/or hints that we and others might be able to use.

(If you've read this far, thanks so much for your interest and patience!)

Paul and Dave

Relevant Code:

// This code works fine.
oAuthTwoAttempt: function () {
var redirectURL = `https://auth.atlassian.com/authorize?audience=api.atlassian.com&client_id=xxxx&scope=read%3Ajira-work&redirect_uri=http%3A%2F%2Flocalhost%3A3000&state=5555&response_type=code&prompt=consent`
this.redirectedRecently = true;
window.location.href = redirectURL;
},

// Extracting the code from the URL
getParameterByName: function(name, url) {
if (!url) url = window.location.search;
name = name.replace(/[\[\]]/g, '\\$&');
var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'),
results = regex.exec(url);
if (!results) return null;
if (!results[2]) return '';
return decodeURIComponent(results[2].replace(/\+/g, ' '));
},

// This function causes the 401 error response. The server will respond successfully - just with an error.
oAuthExchange: function () {
var authCode = this.getParameterByName("code", window.location.search);
console.log("Auth Code: " + authCode);
var headers = {
"Content-Type" : "application/json"
};
var jiraData = //'{"grant_type": "authorization_code","client_id": "xxxx","client_secret": "xxxx","code": "' + authCode + '","redirect_uri": "http%3A%2F%2Flocalhost%3A3000"}'
{
"grant_type": "authorization_code",
"client_id": "xxxx",
"client_secret": "xxxx",
"code": authCode,
"redirect_uri": "http%3A%2F%2Flocalhost%3A3000"
}
console.log(jiraData);
fetch(
'https://auth.atlassian.com/oauth/token',
{
method: "POST",
headers: headers,
data: jiraData
})
.then(response => {
return response.json();
})
.then(jsonData => {
});
}

This appears to not have been viewed, so I reposted it here: https://community.atlassian.com/t5/Jira-discussions/OAuth-2-0-a-challenge/m-p/1295627#M10459 Thanks!