In servlet programming, I have a html login page in which I ask for username and pass for a user and when he enters the details all issues assigned to him are displayed. Furhter when he clicks on any of it he gets navigated to issue page.
Here I am facing a problem that whenever clicks on issue link it opens in new tab and ask for his credentials again. What I want to do is to maintain the same session(JSESSIONID) which he logged in on my html login page.
I am using JIRA rest api for login and fetching details.
How do i achieve it..?
The REST API is used to connect between your server-side app and JIRA, not between the user's browser and JIRA (with the latter being where you need to establish the authentication for viewing the issue detail page).
Assuming you have a behind-the-firewall instance of JIRA Server, your options are:
Convert your servlet to run as a JIRA Plugins 2 add-on and run it within JIRA itself (meaning that users would leverage the JIRA authentication framework to log in before accessing your servlet in the first place), or
Write a custom Single Sign-On authenticator for JIRA that will accept whatever credentials you have set up for the user in your external servlet. This is a nontrivial solution, so depending on the complexity, it may be easier to just do #1.
Related
I have a CLI tool that requires search access, on behalf of the user. I've set up an application on our team's workspace with all of the right scopes and configuration.
However, I am dismayed at how oppressive the OAuth access token process is for CLI tools. Step 1 in their process is to provide a link to a custom web site that has an "Add to Slack" button. This already extends a simple CLI tool into requiring an entire web site, but the button is merely a static URL with parameters about the app and scopes. So far, a static page from Confluence, GitHub, or some other wiki-based project space would be enough.
Step 2 is where the user grants access to the application through their browser. However, Step 3 is where the action redirects to a special, dynamic page that requires access to take a special code, and translate it into an actual usable token for the user to plug into the CLI configuration. This extra step requires a special web page that Slack does not provide to do the translation, instead of just handing a token directly to the user.
Even worse, the API call requires secret client_id and client_secret parameters that would be plain as day in an shared or open-source CLI tool. (Despite the API documentation saying otherwise, both of these parameters are actually required.)
For example, Slackcat requires a one-page special web site expressly for the purposes of fielding OAuth requests. This is a web page that cannot be opened to the public because it would reveal the secret parameters. Unfortunately, Slackcat does not have the right scope levels I need, so I can't just borrow its web site for token generation.
Is there a better way to sidestep this process and allow a simple CLI tool to just get the right user access token it needs?
OAuth2 is fundamentally built around web browsers. The entire point is to allow the user's web browser to be redirected to the OAuth2 provider's website for password entry, so that the user's credentials are never visible to you or pass through any infrastructure you control.
This necessarily involves spawning a browser and sending it to a site you control to begin the OAuth2 flow by setting up state and redirecting the user to the OAuth2 provider, and then complete the OAuth2 flow by handling the redirect back from the OAuth2 provider and performing the code/token exchange. You can't do any of this with a static site, you need a web service.
Is there a better way to sidestep this process and allow a simple CLI tool to just get the right user access token it needs?
No. If there were, it would be a vulnerability in OAuth2 that should be fixed, not exploited to bypass the entire point of OAuth2.
We have ASP.NET MVC applications. We have our own IdP for SSO, The IdP issues authentication ticket using OpenID Connect Protocol. Users can access all our applications by singing once.
We want to use JIRA ticketing system for users to create ticket.
We can create account for every user and provide link on UI to JIRA to create ticket. However that is not convenient if we have large number of users, and keep growing.
We can also create a form in our applications and then submit the form to JIRA using their API. However I am trying to avoid this option because then I have create form in every application and maintain it.
Ideal optional would be, when user clicks on the create ticket link, it should get redirected to JIRA ticketing system, MUST get authenticated implicitly (maybe using access token) and be able to create ticket using JIRA's ticketing system.
Is this possible? Can someone please provide guidelines
You should consider using JIRA's built-in IssueCollector.
This is super simple to set up, and you can find more info here
Unless you need to do something really custom, then this should work out of the box.
I am building a Jira add-on that gives provides the user with the status of an object within my own API (not within Jira). My API is protected using OAuth 2.0. What is the best way to authenticate to my API from my Jira add-on?
I like how the Jira + GitHub/Bitbucket integration works. Specifically, the user retrieves API keys from GitHub and puts them in Jira. Jira then uses these keys to authenticate with and then retrieve data from GitHub. At least, this is how I think it works.
How can I achieve this same effect for my Jira add-on?
When you are building a cloud add-on then you can handle authentication without bothering admins (they don't need to copy anything).
To integrate yourself with Jira UI you need to create a webpanel or page, in both cases, Jira will ask your site to render the HTML code and the request will include JWT token. Inside you will have information about which user did the request.
Now, you can authenticate Jira users to your API in several ways:
render a time-limited token to the HTML and use it to authenticate calls to your API. As a downside of this solution, if someone will keep the page open without reloading for long enough (longer than your time limit) the token will become invalid.
provide a resource to retrieve time-limited token (validate JWT signature provided by Jira to be sure request really comes from particular Jira instance) and retrieve the token every time before doing the request (or every N minutes depending on your time limit).
or if you really want to bother admins then create a configuration page and let them save API keys by hand (I assume they will have to retrieve those keys from you somehow, this additional step may discourage many admins), in this configuration page you will include JS code that on submit will save API keys as Application property and later you will have to retrieve this before making requests to your API. With this approach however, admins will not be able to restrict access to your API to a subset of users with Jira permissions (every logged in user can access application properties, in open instances even anonymous users).
If you are unsure how to validate JWT Token you can read this developer guide. Also, you can make your life easier by using one of the provided framework and tools, for example, atlassian-connect-spring-boot will take care of installation handshake, JWT authentication and authentication to Jira REST API from your server.
Right now I'm trying to get Atlassian's basic JQL standalone gadget template working with my Confluence install (found here: https://developer.atlassian.com/display/JIRADEV/Writing+a+JQL+Standalone+Gadget). It renders just fine when I bring up the preview window, but it seems that the gadget kicks me out of my Confluence session as soon as it renders. This makes it impossible to place onto the page, and of course, impossible to use. Right now I have both OAuth and Atlassian Application links set up between my instances, what could possibly be causing this behavior?
Do you have your JIRA and Confluence instances on the same hostname but on different ports? To get the Application Links to function properly, you will want your JIRA and Confluence on two separate hostnames. Trying to use http://localhost:8080 for JIRA and http://localhost:8090 for Confluence is asking for trouble, especially for things like cookies and OAuth.
You don't need to move the servers at all, but you do need to set up different hostnames. For example, edit /etc/hosts to add "127.0.0.1 conftest jiratest" and then access them as http://jiratest:8080 and http://conftest:8090.
Once you've made those changes, make sure that you go into each application and reconfigure the base URL in the admin console according to whatever it is that you decided above, then delete and recreate the application links, delete and recreate the external gadget feed, and try again.
You may also want to turn on the Trusted Application feature in both the incoming and outgoing authorization for the application link (scroll down when you are configuring it—some parts of that dialog may not be visible above the fold). (Though maybe this is what you meant by "Atlassian Application links"?)
I want to display JIRA details such as issue titles, a version roadmap, and the issues raised/resolved graph for projects in a Confluence site. This is fine for folks that are logged in but I need it to work for anonymous access as well. I don't want to have to set up anonymous access in JIRA for the project as it contains other details in the comments, etc.
I have followed everything that I can find as far as setting up Application Links between the two and can get the issues to display if I enter an account in the Basic Access tab of the application links.
Using the developer tools in the browser I can see an OAuth error when the gadget on the Confluence page tries to make a request.
Is there a way that Confluence can impersonate another user when it queries JIRA?
Seems to me that you want to do something impossible. As I understand it, there are the following options for using JIRA content inside Confluence:
Use the authenticated user of Confluence in JIRA.
Use an anonymous user for public issues in JIRA.
Use a pre-determined user (not recommended): This will show in public the user name and password in Confluence.
So you have the following options:
Use issue security in JIRA, and set the comments in your issues only be available for a special group.
Ensure that the users you want to get access to are not contained in the special group.
See the documentation about "Trusted Communication", especially the following part:
Display the JIRA issues which the logged-in user is authorised to see. And if the user is not logged in, display only issues which allow unrestricted viewing.