2

Let's say that I am operating a JIRA installation and want to provide REST API access with oauth authentication. Is it possible to make that access Read-Only? With the REST API, it is possible to create issues and other data, but I would want to prevent the ability to insert data.

I believe it would be possible to achieve read-only REST access with basic authentication since the REST implementation will honor permissions assigned to the user whose credentials are being used with the API, but I would like to use oath as I understand it to be the recommended authentication method as I would assume it is more secure.

Improve this question

1 Answer 1

Reset to default
-1

Sorry, I'm not sure to understand everything :
oauth and basic auth will work the same way : the connected user has the same credentials as in JIRA interface.
So you have nothing to do.
Very quickly : The difference between basic and oauth, is :

  • in basic : your client application shall send the user login and password. So your client app should remember the password.
  • in oauth : JIRA trust your client application (with SSL certificates). When your application is connecting, it says "user lambda is connecting", without sending the password.

I hope it helps

CORRECTION :
Sorry, I did a little confusion with "trusted application links"
So I correct my answer :
You have in the documentation :

  1. Authorize this token
    Go to the URL in system out and login into JIRA and approve the access. Afterwards JIRA will say that you have successfully authorised the access. It mentions a verification code which we need for the next step.

So, the user shall login itself in jira, in order to accept your token, and the user login is binded

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Well, I am apparently confused. I do not see where a particular JIRA user account is connected with the Application Link created to grant REST API access. I am using the instructions at: developer.atlassian.com/display/JIRADEV/… The JIRA admin creates an Application Link which corresponds to the client that will be connecting and using the REST API. JIRA and Client do their little dance and the client get an access token which can be used. I do not see where JIRA users or user permissions enter into this.
Sorry, I made a little confusion, I correct my answer :<br/> You have in the documentation :<br/> 2. Authorize this token<br/> Go to the URL in system out and login into JIRA and approve the access. Afterwards JIRA will say that you have successfully authorised the access. It mentions a verification code which we need for the next step.<br/> So, the user shall login itself in jira<br/> Sorry, I did a little confusion with "trusted application links"<br/>
Yes, I believe I understand all of that. However, the authorization that JIRA has provided to the Application Link grants both Read & Write access. I want the access to be read-only. Read-only access appears only possible with Basic Authentication where one is providing the credentials of a JIRA user and that JIRA user may not have write permissions. It would appear that with oauth authentication, there will always be read-write access.
I'm surprised, are you sure that the user login you're using to accept the token has read-only credentials?<br/> Else it would be a serious security issue to submit to Atlassian
Ah, I think I might see where I am confused. I thought this would all need to be done using the admin account. I will experiment a bit more.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.