grimoirelab-perceval icon indicating copy to clipboard operation
grimoirelab-perceval copied to clipboard

Published 20 hours ago verified publisher icon chaoss

Add support for Connect apps and OAuth 2/3 for Jira

Open lukaszgryglicki opened this issue 4 years ago • 3 comments

Hi, Perceval only supports Jira backend either as an anonymous user (without providing any credentials at all) or basic auth (via username/password pair).

  • Anonymous access if often disabled on existing Jira instances.
  • Basic auth is only enabled on few Jira instances, most switched to either OAuth 2/3 or Connect Apps. Additionally, basic auth is not recommended, see here (REST API basic authentication is deprecated and will be removed in the future).

Connect apps is the newest and most recommended way of supporting authentication/authorization (it uses JWT tokens, also the Linux Foundation uses JWT token for its Linux Foundation ID (LFID) logins - many LF projects Jiras use this - example ONAP, OPNFV and many more).

Documentation for connect apps is here and for OAuth is hereand there.

This is an important improvement because the current state of Jira backend actually almost blocks Jira usage (it only works in anonymous mode or in deprecated basic auth mode which is usually disabled in most Jira instances).

lukaszgryglicki avatar Apr 09 '20 07:04 lukaszgryglicki

Hi would love to give this a go as a first issue. Might need abit of time to get familliar with the codebase

ooigavin avatar Sep 30 '20 15:09 ooigavin

Hi, just wanted to clarify some things. From the jira documentation I can see that password basic auth & cookie-based auth have been deprecated. The recommended method for Basic auth now is via api tokens.

While it is still better to use Oauth to authenticate the requests, currently for non-connect apps, the only grant type available is the code authorization type, which requires a browser. In the context of the perceval CLI, this does not seem to make much sense to implement?

For connect apps however they do allow 2-legged Oauth via the use of a JWT. For the scope of this PR, is it alright if i add api tokens as a means of Basic auth for non-connect apps and use JWT for connect apps?

image

ooigavin avatar Oct 11 '20 07:10 ooigavin

** apologies after further reading, i realised that there are some differences between apps hosted on Jira Cloud and apps self-hosted with Jira Server.

  • password basic auth is deprecated for Jira Cloud, api tokens are now the recommended method
  • api tokens are not enabled for Jira Server, and password basic auth is still the only way to perform auth without a browser

I am unclear if the current jira backend aims to support both Jira Cloud & Server, would need some clarification on this, and perhaps what the scope for this issue should be.

ooigavin avatar Oct 11 '20 09:10 ooigavin