Atlassian Connect authenticates apps using JWT tokens. At installation time, the Connect app and the Atlassian host product exchange a security context containing an installation secret used to create and validate JWT tokens for use in API calls.
The use of JWT tokens guarantees that:
The Atlassian client frameworks include tools for creating and using JWT tokens easily. See the README files for more information:
Here's how to use authentication and authorization in your app:
When the installation callback is called at app install time, the Atlassian host product passes in a security context that your app uses to validate incoming requests and sign outgoing requests. If you use the Atlassian frameworks, this is handled for you.
Atlassian Connect apps can use two types of authorization when interacting with the Atlassian host product APIs:
See the Connect app authorization guide for how your app should perform user authorization checks against the permission model defined in Atlassian products.
Authentication and authorization rely on elements in the app descriptor.
To enable your Atlassian Connect app to authenticate securely with the Atlassian host product, make sure the following elements are in the app descriptor:
authentication:type
: the authentication type (always jwt
)lifecycle:installed
: a callback endpoint to call at installation timeTo request authorization to perform specific categories of actions in the Atlassian host product, add the scopes
element and the scopes you need. For a list of available scopes,
see Scopes.
For example:
1 2{ "baseUrl": "http://localhost:3000", "key": "atlassian-connect-app", "authentication": { "type": "jwt" }, "lifecycle": { "installed": "/app-installed-callback" }, "scopes": [ "read", "write" ], "modules": {} // etc }
Once the app is installed, the Atlassian host product passes your callback to a security context. This contains important information that you’ll be required to store in your app in order to sign and verify future requests.
Learn more about the contents of the payload in lifecycle attributes.
Your installation callback must execute synchronously.
Upon successful registration, the installation callback must return either a 200 OK
or 204 No Content
response code. Otherwise, the operation will fail and the installation will be marked as incomplete.
Although app installation may be complete, the permissions that grant the app access to Atlassian products may take a few seconds to sync across all of the platform databases.
Until this sync is complete, the app may receive 401 Unauthorized
or 403 Forbidden
errors.
When communicating server-to-server with the Atlassian host product your app uses a JWT token to access protected resources including most of the REST APIs. When you use the frameworks, this is handled for you.
If you are not using the frameworks, you can use JWT libraries to construct a token. See Creating a JWT token and the Atlassian-supported claims that you need to construct.
Requests to your endpoints from the Atlassian host product are signed with JWT tokens. If you use the frameworks, verifying the JWT is handled for you.
If you are not using the frameworks, you will have to decode and verify all incoming requests from the Atlassian host product to your service. For more details, see Decoding and verifying a JWT and the Atlassian-supported claims that you need to validate.
Once a request has been authenticated, your app should perform additional authorization checks to determine if the user is permitted to perform the requested action. For more details, see the Connect app authorization guide.
An installation secret will be exchanged every time your app is installed or updated. To secure this key exchange process, the install and uninstall lifecycle events include JWT tokens in the Authorization header. This JWT token will be signed with a private key using the RS256(RSA-SHA256) algorithm.
To retrieve the publicKey
, make a request to the CDN with the kid
parameter supplied in the
JWT token header. For example, https://connect-install-keys.atlassian.com/kid
The best way to see how JWT tokens work with your lifecycle events is to use the Connect inspector to create a temporary app, install it in your cloud development environment and watch the lifecycle events.
When storing the app installation secret, allow up to 400 bytes of storage space per secret. Because the secret is used for authentication between your app and Atlassian, it is required that you keep it secure and safe. Ensure the following:
Rate this page: