How to use the access token for REST calls?

Cameron Stillion April 10, 2015

I've finally cracked the code of using JIRA authentication endpoints with OAuth.  It wasn't easy, but the key was using the RSA-SHA1 algorithm (not very standard - most implementations use HMAC-SHA1) - and the private key in the consumer-secret. BTW, when will OAuth2 be available???

Anyway, now that I do the 3-legged dance, and I have an oauth_token... now - how do I use it? I can't find a single example of actually using that token in an HTTP request for the REST interface.

Typically I would format it into the header of a request like so:

{ "Authorization" : "Bearer gZ9qgJLEaNJh3349VEIbCQ9jm7baNAbcDefgVjFqJY" }

But this doesn't seem to do the trick, even for a very simple query. 

How should the auth_token be formatted and used? I can't find any examples or instructions on this...

5 answers

1 accepted

8 votes
Answer accepted
Cameron Stillion April 12, 2015

Each of the sample clients use libraries which use other libraries - and the stack is deep. My biggest problem with the documentation and the samples is that they do not provide actual HTTP examples - they hide the details in curl or some other shared library. That is all well and good if you don't need to understand it, or just need to implement what someone else already has, using a library someone already has. But I read the blogs and I am not the only one that finds this approach - wanting.

I have no problem using RSA-SHA1 or acquiring the access token, but every example i've seen after that step uses curl with basic auth to access data - which is somewhat pointless. Every OAuth 1.0a server (and actually every OAuth 2 server) differ in implementation - I am looking for the similarities and the differences. I'm not using the languages or libraries that are covered so far in the published samples, I am left to experiment to find out these implementation necessities. Again, I am not the only one.

My next step is to follow the OAuth bible and see if that gets me where I want to go. A tangible sample with HTTP request and response for each would be much better than a collection of specific-library-built-samples. Everyone who approaches this, it seems, is left to dissect a sample that is not in the language they are using to try to glean the basic protocol. That's like teaching students how to be a doctor by sending them to the morgue to do autopsies. There might be a better way.

 

Romisha Aggarwal December 26, 2018

Sailing in the same boat. Looking for an example to get the access_token in my language (PHP). Can you please help me. 

 

Many thanks in advance.

4 votes
Cameron Stillion April 23, 2015

I can add my own sample to the list of "here's how you do it in my technology" - but I'd rather provide a more general answer if possible. Let me re-iterate: requiring people to install, build, and run examples in a completely different set of technologies in order to find the pattern is not very productive.

The short answer is: roughly the OAuth1 format for Authorization header, but digitally signed using RSA-SHA1. Here is an example of an actual working HTTP header for a simple GET:

 

OAuth oauth_signature="C3xuGDhahnuQiro38jl5an3EjnzdGWEOWx%2Z3MAXfN7vM%2FLtI%3D...", 
oauth_token="EbW09Uz...gDwN3rbtJYaP9bUf", 
oauth_consumer_key="this...is...my...key", 
oauth_signature_method="RSA-SHA1", 
oauth_timestamp="1429802221", 
oauth_nonce="8hv19a39n5k31207ivp997i6fn", 
oauth_version="1.0"

These are the critical pieces needed for the Authentication header:

`oauth_signature` - the RSA-SHA1 signature which should be a signed concatenated string which includes the full URL (including query parameters) and the other headers.

`oauth_token` - this is the token returned from the second leg of the OAuth dance

`oauth_consumer_key` - this is your consumer key, the one you registered with JIRA when you added a 'Link'

`oauth_signature_method` - hard-coded 'RSA-SHA1'

`oauth_timestamp` - current time stamp, likely filled in by your library.

`auth_nonce` - arbitrary id that is unique to this message. don't try to re-use this. generate it anew for each call. Also potentially generated by a good OAuth library.

`auth_version` - hard-coded "1.0"

All of these parameters (except for oauth_signature) should be formatted into what is known as a `base string` which can be digitally signed using the private key you generated before you registered your application with Jira. That signature is then Base64 encoded and placed into the oauth_signature parameter. All of these are formatted as above with quotes around the values and comma-separated into the `Authentication` header on the request.

(wow, that was easy...)

Ping me if you are looking for a Clojure example of this. smile

Rest Connectors May 4, 2015

I tried to find your contact information to ask for these examples, but couldn't find it. Could please provide it, along with the REST Requests required to obtain the Request Tokens as well? Also, please consider publishing your examples here: https://bitbucket.org/atlassian_tutorial/atlassian-oauth-examples/src

Owen Jones May 2, 2016

@Cameron Stillion if you still have an example of this working within Clojure I would love to see, trying to implement this myself right now.

Ryan Aquino December 6, 2020

Please post an example for this.thanks

Ryan Aquino December 8, 2020

Could you show an example with the use of NodeJS ? or any similar that could help. thanks

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 8, 2020

Hi Ryan,

There are nodejs examples of using OAuth over in https://bitbucket.org/atlassianlabs/atlassian-oauth-examples/src/master/nodejs/

The parent repo also has other examples for languages such as php, java, perl, python, etc https://bitbucket.org/atlassianlabs/atlassian-oauth-examples/

0 votes
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 7, 2020

Hi everyone,

This thread is 5 year old and unfortunately some of the links are now defunct.  If you are looking to use OAuth with Atlassian products, I would recommend a couple of different resources depending on which platform you are connecting to (Atlassian Cloud versus our Server/Data Center products).

 

For Cloud:

 

For Server or Data Center:

I hope this helps.

Andy

Gavin beangstrom April 13, 2021

Hi

I am trying to use C# (.net 4.8) to authenticate using oauth, unfortunately there is no c# sample in the above example.

Is it possible to produce a C# example or to provide a working example that uses the values generated in the java config.properties file as below. This is the file that was created using the JAVA example.

 

Thanks

 

#Tue Apr 13 16:41:17 CAT 2021
secret=uHmW3E
jira_home=http\://localhost\:8081/
consumer_key=OauthKey
private_key=MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALYgouBgLUdrgIUjQKFsDjbp2o6aMjf3dBJGQdV00pAEcVdhvMfouhS3MpPbwlhJ1GTjod7MwO7ZENfUFVLUGgCselKgOl1IUB6j6gR0Y1QmuhMi4NdFxtM3Zxk8qzSYlCN/G34oyO2HRlZbHZxR7dglCbx/a2GkZw3G+iGf7oOZAgMBAAECgYBZx/7i4yaPBZSmjTlIGg9rzJ5cG/FTm53RgGblxiAitL322IyKc9R/b8v0DaphgYu9bGWYgpE9bS4bZ0ZXvY1PIESiNSZjZU7H9N8ZrJ40s9huHNOG+00QU/RX7bIe6mx9afLGYLPXxnWwycxxJPiTLeVyipLApqfAUEOe8youXQJBAOgmhdADKQsVPq8FIp1pbX1/knAAKFh2qu9gdA6X80yLE5PX9GmRDGb+Lgx7PpoUPxr19krBVvvCEb2harvbKwcCQQDI1oauDv5Tq1Z4bHsdkmU9AHO1lSVB1HWEJ90NONVqZ6DUSmvit0kH5WYgTQiAG2W4TgMT20uZuG4iPoQbmxRfAkEA4ZYticjIZWCrnN9cl6IPJ1iEMBm3Gt+Vky8jF9tILSUoTQ4ZD0xHxP1SOga4+niaKdTBFDt0DwiyvJbSZOHAmQJAf7s4ouD0TaBt+V79GjyuWJK+BKGbtXd7WhbEVxFrYiYQOpQuc12ge/4g6rAzlM5X7lTnTiyts1GB8hOSj8AcvwJAd4mgVFL3XSjiBM25BWKjdnvch5udGblWd7IsaHNVoYbqJOEES2FLDC1xp4ujTRzVZSeg8gPzk37Mw4GEyfQMmQ\=\=
request_token=fXxj3qmHYyjAu0rHDsDiD6m3eSetpx3y
access_token=qglOc6EwQmmbyDEqjE6yLhqZL7bobOL9

0 votes
Norman Abramovitz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 14, 2015

I would suggest using a tool like wireshark to capture network packets and then you can see the exact packet formats using any of the examples.

 

0 votes
Norman Abramovitz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 11, 2015

Maybe dissecting the client code in this example would assist you. 

https://developer.atlassian.com/jiradev/api-reference/jira-rest-apis/jira-rest-api-tutorials/jira-rest-api-example-oauth-authentication

https://bitbucket.org/atlassian_tutorial/atlassian-oauth-examples

The example states RSA-SHA, so it should be a good example for you.

 

krishna veni August 22, 2020

https://bitbucket.org/atlassian_tutorial/atlassian-oauth-examples  it seems repository unavailable, Can you please provide some examples if possible

Ryan Aquino December 6, 2020

All repository in this thread is not found. Please help update

Suggest an answer

Log in or Sign up to answer