How to use the access token for REST calls?

I've finally cracked the code of using JIRA authentication endpoints with OAuth.  It wasn't easy, but the key was using the RSA-SHA1 algorithm (not very standard - most implementations use HMAC-SHA1) - and the private key in the consumer-secret. BTW, when will OAuth2 be available???

Anyway, now that I do the 3-legged dance, and I have an oauth_token... now - how do I use it? I can't find a single example of actually using that token in an HTTP request for the REST interface.

Typically I would format it into the header of a request like so:

{ "Authorization" : "Bearer gZ9qgJLEaNJh3349VEIbCQ9jm7baNAbcDefgVjFqJY" }

But this doesn't seem to do the trick, even for a very simple query. 

How should the auth_token be formatted and used? I can't find any examples or instructions on this...

4 answers

1 accepted

Each of the sample clients use libraries which use other libraries - and the stack is deep. My biggest problem with the documentation and the samples is that they do not provide actual HTTP examples - they hide the details in curl or some other shared library. That is all well and good if you don't need to understand it, or just need to implement what someone else already has, using a library someone already has. But I read the blogs and I am not the only one that finds this approach - wanting.

I have no problem using RSA-SHA1 or acquiring the access token, but every example i've seen after that step uses curl with basic auth to access data - which is somewhat pointless. Every OAuth 1.0a server (and actually every OAuth 2 server) differ in implementation - I am looking for the similarities and the differences. I'm not using the languages or libraries that are covered so far in the published samples, I am left to experiment to find out these implementation necessities. Again, I am not the only one.

My next step is to follow the OAuth bible and see if that gets me where I want to go. A tangible sample with HTTP request and response for each would be much better than a collection of specific-library-built-samples. Everyone who approaches this, it seems, is left to dissect a sample that is not in the language they are using to try to glean the basic protocol. That's like teaching students how to be a doctor by sending them to the morgue to do autopsies. There might be a better way.

 

I can add my own sample to the list of "here's how you do it in my technology" - but I'd rather provide a more general answer if possible. Let me re-iterate: requiring people to install, build, and run examples in a completely different set of technologies in order to find the pattern is not very productive.

The short answer is: roughly the OAuth1 format for Authorization header, but digitally signed using RSA-SHA1. Here is an example of an actual working HTTP header for a simple GET:

 

OAuth oauth_signature="C3xuGDhahnuQiro38jl5an3EjnzdGWEOWx%2Z3MAXfN7vM%2FLtI%3D...", 
oauth_token="EbW09Uz...gDwN3rbtJYaP9bUf", 
oauth_consumer_key="this...is...my...key", 
oauth_signature_method="RSA-SHA1", 
oauth_timestamp="1429802221", 
oauth_nonce="8hv19a39n5k31207ivp997i6fn", 
oauth_version="1.0"

These are the critical pieces needed for the Authentication header:

`oauth_signature` - the RSA-SHA1 signature which should be a signed concatenated string which includes the full URL (including query parameters) and the other headers.

`oauth_token` - this is the token returned from the second leg of the OAuth dance

`oauth_consumer_key` - this is your consumer key, the one you registered with JIRA when you added a 'Link'

`oauth_signature_method` - hard-coded 'RSA-SHA1'

`oauth_timestamp` - current time stamp, likely filled in by your library.

`auth_nonce` - arbitrary id that is unique to this message. don't try to re-use this. generate it anew for each call. Also potentially generated by a good OAuth library.

`auth_version` - hard-coded "1.0"

All of these parameters (except for oauth_signature) should be formatted into what is known as a `base string` which can be digitally signed using the private key you generated before you registered your application with Jira. That signature is then Base64 encoded and placed into the oauth_signature parameter. All of these are formatted as above with quotes around the values and comma-separated into the `Authentication` header on the request.

(wow, that was easy...)

Ping me if you are looking for a Clojure example of this. smile

I tried to find your contact information to ask for these examples, but couldn't find it. Could please provide it, along with the REST Requests required to obtain the Request Tokens as well? Also, please consider publishing your examples here: https://bitbucket.org/atlassian_tutorial/atlassian-oauth-examples/src

@Cameron Stillion if you still have an example of this working within Clojure I would love to see, trying to implement this myself right now.

I would suggest using a tool like wireshark to capture network packets and then you can see the exact packet formats using any of the examples.

 

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

2,981 views 12 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot