How to use the access token for REST calls?

I've finally cracked the code of using JIRA authentication endpoints with OAuth.  It wasn't easy, but the key was using the RSA-SHA1 algorithm (not very standard - most implementations use HMAC-SHA1) - and the private key in the consumer-secret. BTW, when will OAuth2 be available???

Anyway, now that I do the 3-legged dance, and I have an oauth_token... now - how do I use it? I can't find a single example of actually using that token in an HTTP request for the REST interface.

Typically I would format it into the header of a request like so:

{ "Authorization" : "Bearer gZ9qgJLEaNJh3349VEIbCQ9jm7baNAbcDefgVjFqJY" }

But this doesn't seem to do the trick, even for a very simple query. 

How should the auth_token be formatted and used? I can't find any examples or instructions on this...

4 answers

1 accepted

Each of the sample clients use libraries which use other libraries - and the stack is deep. My biggest problem with the documentation and the samples is that they do not provide actual HTTP examples - they hide the details in curl or some other shared library. That is all well and good if you don't need to understand it, or just need to implement what someone else already has, using a library someone already has. But I read the blogs and I am not the only one that finds this approach - wanting.

I have no problem using RSA-SHA1 or acquiring the access token, but every example i've seen after that step uses curl with basic auth to access data - which is somewhat pointless. Every OAuth 1.0a server (and actually every OAuth 2 server) differ in implementation - I am looking for the similarities and the differences. I'm not using the languages or libraries that are covered so far in the published samples, I am left to experiment to find out these implementation necessities. Again, I am not the only one.

My next step is to follow the OAuth bible and see if that gets me where I want to go. A tangible sample with HTTP request and response for each would be much better than a collection of specific-library-built-samples. Everyone who approaches this, it seems, is left to dissect a sample that is not in the language they are using to try to glean the basic protocol. That's like teaching students how to be a doctor by sending them to the morgue to do autopsies. There might be a better way.

 

I can add my own sample to the list of "here's how you do it in my technology" - but I'd rather provide a more general answer if possible. Let me re-iterate: requiring people to install, build, and run examples in a completely different set of technologies in order to find the pattern is not very productive.

The short answer is: roughly the OAuth1 format for Authorization header, but digitally signed using RSA-SHA1. Here is an example of an actual working HTTP header for a simple GET:

 

OAuth oauth_signature="C3xuGDhahnuQiro38jl5an3EjnzdGWEOWx%2Z3MAXfN7vM%2FLtI%3D...", 
oauth_token="EbW09Uz...gDwN3rbtJYaP9bUf", 
oauth_consumer_key="this...is...my...key", 
oauth_signature_method="RSA-SHA1", 
oauth_timestamp="1429802221", 
oauth_nonce="8hv19a39n5k31207ivp997i6fn", 
oauth_version="1.0"

These are the critical pieces needed for the Authentication header:

`oauth_signature` - the RSA-SHA1 signature which should be a signed concatenated string which includes the full URL (including query parameters) and the other headers.

`oauth_token` - this is the token returned from the second leg of the OAuth dance

`oauth_consumer_key` - this is your consumer key, the one you registered with JIRA when you added a 'Link'

`oauth_signature_method` - hard-coded 'RSA-SHA1'

`oauth_timestamp` - current time stamp, likely filled in by your library.

`auth_nonce` - arbitrary id that is unique to this message. don't try to re-use this. generate it anew for each call. Also potentially generated by a good OAuth library.

`auth_version` - hard-coded "1.0"

All of these parameters (except for oauth_signature) should be formatted into what is known as a `base string` which can be digitally signed using the private key you generated before you registered your application with Jira. That signature is then Base64 encoded and placed into the oauth_signature parameter. All of these are formatted as above with quotes around the values and comma-separated into the `Authentication` header on the request.

(wow, that was easy...)

Ping me if you are looking for a Clojure example of this. smile

I tried to find your contact information to ask for these examples, but couldn't find it. Could please provide it, along with the REST Requests required to obtain the Request Tokens as well? Also, please consider publishing your examples here: https://bitbucket.org/atlassian_tutorial/atlassian-oauth-examples/src

@Cameron Stillion if you still have an example of this working within Clojure I would love to see, trying to implement this myself right now.

I would suggest using a tool like wireshark to capture network packets and then you can see the exact packet formats using any of the examples.

 

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Julia Dillon
Posted Tuesday in Jira

Tell us how your team runs on Jira!

Hey Atlassian Community! Today we are launching a bunch of customer stories about the amazing work teams, like Dropbox and Twilio, are doing with Jira. You can check out the stories here. The thi...

152 views 1 17
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you