What are the authorization options for webhooks?

Fabian Huck January 18, 2023

I have created a connection based on webhooks between a system and my Jira environment. Whenever something is created in the external system, this information is sent to Jira via a post request and also created there (automation rules).


As there are security rules I am looking for a solution to make the webhook more secure. Is it possible to create an authorization process underneath cryptographic security mechanisms. Maybe with mathematical operations?

2 answers

1 accepted

0 votes
Answer accepted
Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
January 22, 2023

Wow this is a great question.

I am by no means a cryptographic expert, so I googled it and found this:

I suppose you could implement a token authentication system using web requests, but it hurts my head to think about.

I think the most feasible approach would be to do some kind of Signature verification although Jira smart values for math do not unfortunately include any kind of hashing functionality.

I wonder if it would be sufficient (but certainly not completely foolproof) to do something like: 

{{#=}}{{created.format("yyyyMMdd").asNumber}} + {{summary.length}} * 1337{{/}}

(Where you would choose COMPLETELY DIFFERENT fields, calculations and "salt" values)

And then on your system, you would replicate generation of that "Auth Signature" value and include it in the data payload of your webhook POST to Jira, where your Automation rule could then calculate it and see if it matches.

So I guess compare:

{{webhookData.authSignature}}

To:

{{#=}}{{webhookData.created.format("yyyyMMdd").asNumber}} * {{webhookData.summary.length}} + 1337{{/}}

Obviously with enough time, somebody could try to reverse engineer this against all the various fields and numeric values you are submitting, but I guess it would provide some peace of mind about the security of your data?

Fabian Huck January 23, 2023

That's a great approach! Thank you for this..! I am going to figure it out if this works and update you! Can you answer another question to me? Another part to make this webhook secure is to define an IP whitelist. Is this possible for webhooks in Jira? 

Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
January 23, 2023

Oooh, that'd be cool to restrict your specific webhooks to an IP whitelist. But I'm guessing your webhooks like mine are hosted here: 

https://automation.atlassian.com/pro/hooks/

So I'm guessing they couldn't whitelist requests to that host for just your account or rules without affecting everyone else.

Atlassian does publish their IP addresses so if you were somehow able to flip it around and have Jira make webhook calls to your service, you could whitelist Atlassian's IP Addresses .

Like Fabian Huck likes this
Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
January 26, 2023

OH - I forgot! at the Premium levels, Jira does allow IP allowlisting. 

BUT since the addresses of webhooks are not site-specific (my webhooks are not automation.MYSITE.atlassian.net), this probably will not work.

If you are Premium, you should file a support ticket asking for this, and see if they can make it into a feature request.

Actually, I just searched, and oof, this isn't good:

Like # people like this
Fabian Huck January 27, 2023

@Darryl LeeThank you for the time you put into this not easy question! You definitely help me and the team with your answers and research. Finally, does this also apply to Jira Data Center? How is Ip whitelisting set up because of the different architecture?

Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
January 27, 2023

Hey you're welcome Fabian! I just happened to be looking at a Cloud tier comparison page and realized IP Allowlisting was a thing, although it may not help here. 

So with Data Center, because it is self-hosted, the network access to your server has to be maintained by you or your infrastructure/networking/IT team.

There are absolutely ways to restrict access to your own self-hosted Jira server using firewall rules, etc. 

But again you have to maintain the server and all of its infrastructure (hardware/virtual hosting, network, firewall, database) yourself.

Fabian Huck February 1, 2023

Yes i know. First of all me and my Team have to find out how the client managed his server. I did a research and i found this brand new Blog:

So i guess its possible to integrate allowlisting in Datacenter. But does IP allowlisting only apply to the Webhook URL or also to the Atlassian UI in the Datacenter environment? 

2 votes
Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 13, 2024

I'm not supposed to revive old posts (necroposting), but this came up when I was searching for a relatively NEW feature that is a much better way to implement secure webhooks vs my home-brewed solution:

From Atlassian Cloud changes Feb 26 to Mar 4, 2024:

Enhanced security for webhooks

[NEW THIS WEEK]

We’re pleased to announce an important security update for webhooks. Users now have the ability to secure webhooks with a new secret field. This enhancement applies to webhooks created through Jira Administration or via the REST API.

When a secret is added to a webhook, it is utilized to generate an HMAC (Hash-based Message Authentication Code) signature. This signature is then included in the request header, ensuring the integrity and authenticity of the webhook payload.

For a comprehensive guide on implementing and understanding this security feature, please refer to the Secure admin webhooks section in our docs.

@Fabian Huck - this is probably much better than my hackery. :-}

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events