Jira/Atlassian Java Service Desk API - best way to handle authenticating customers/service desk user accounts on a reporting application?

Question

Currently working on a service desk application that allows service desk users on our system to see more than they currently can on Jira. What i'm wanting to do is allow them to be able to comment on tickets and possibly add further tickets. I am currently doing this through basic auth, with a 3 legged auth I have made, that uses a jira account to pull tickets for them to see, and then their login to authenticate and then be able to comment on tickets. My issue is that I am having to re-authenticate each time, meaning i have to store the password in a static string somewhere after they have entered it to initially login. I have looked at the api documentation and as far as i can work out Oauth 2.0 is not an option (believe i read that its not supported for customer support desk users), and i cannot get api keys easily for them (if at all) as I would need system admin to generate api keys for all users and then it would be difficult to code.

Storing user password seems wrong, even as a char array. Any help would be massively appreciated!

Answer 1

Storing passwords in active session is not the best method, but it does the Job.

In our application we applied the following:

When user is authenticated the first time Jira sends back a response with a cookie that may look like this:

JSESSIONID=6AD97CC4450456CD968B22F7201220A7; atlassian.xsrf.token=BWP3-NZB2-6EDY-6C7K_d3ec7ed6f227879ac4cf6aee83f28e085e49227b_lin 

We stored the user's cookie in their session and we use it every time we send a API request to Jira rest api on their behalf

As cookie is a valid authentication method for Jira service desk api.

Authentication

The JIRA Service Desk REST API uses the same authentication methods as JIRA. The preferred authentication methods are OAuth and HTTP Basic Auth (when using SSL). Other supported methods include: HTTP Cookies and Trusted Applications.

Authentication in Jira Service-desk rest

Proof of Concept

Using postman, send an authenticated request to Jira using basic auth

After getting a 200 response, alter the Authorization in postman and change it from Basic Auth to No Auth and retry the same request.

You should be able to see the same result and if you expand the request headers, you'll find that postman has injected the cookie that was retrieved from the first basic auth request

Hope this helps.