Integrating with OAuth 2.0
You can integrate your application with OAuth 2.0 authentication to connect with 3rd party apps, such as your mail server. We only support 3-legged authentication.
Disabling Basic Authentication
Some providers such as Google and Microsoft are planning on disabling Basic Authentication. When they do, you will not be able to create issues and comments from email and your connection to the Gmail and/or Microsoft Exchange Online server will no longer be operational. You do not need to update the settings in your custom email servers or other service providers if they use IMAP or POP3. They will continue to work.
Currently, Jira does not support OAuth 2.0 for Microsoft Exchange Online via POP3. You can either continue using Basic Authentication until the support is provided or connect to the mail server using IMAP and then integrate with OAuth 2.0.
Integrating with OAuth 2.0 process for mail server
You need to configure OAuth 2.0 for your Google and/or Microsoft email server and update your email server configuration. You need to be a system administrator to do that.
You need to configure the OAuth 2.0 settings first. To do that you will require specific info such as a client ID from your service provider. You can generate this data on the service provider’s side. Then, you need to copy the data to the OAuth plugin in your application to generate a redirect URL. You need to provide the redirect URL that your application generated at the service provider’s site. Once you save your configuration, you can proceed to configuring your mail sever to use OAuth 2.0 as the authentication method.
You need to ensure the following:
Your server needs to run over HTTPS. If it doesn’t you will not be able to configure OAuth 2.0.
Your base URL needs to be configured correctly. This is important as the redirect URL you’ll need to provide is based on the Jira’s base URL.
Configuring OAuth 2.0 for Google, Microsoft, or your own custom server
You first need to add OAuth 2.0 integration for your mail server to use. Next, you need to configure your mail server to use this integration.
- Go to Jira administration > System > OAuth 2.0.
- Click Add new integration.
- Select your Service provider.
- Enter your integration’s name.
- For Google and Microsoft, we will auto-fill the authorization and the token endpoint data. However, if you are using a custom service provider, you need to obtain this data from the service provider and fill it in yourself.
Copy the generated redirect URL, which you’ll have to provide at the service provider’s site to obtain the client ID and client secret.
If you are configuring a custom service provider, click Generate to receive the redirect URL.
Your redirect URL is endpoint-dependent. If you change the authorization of the token endpoint, the redirect URL needs to change as well. Click Generate to get a new URL.
7. Go to the service provider to generate the data to enter on the plugin’s site to complete the integration.
Google: Go to https://developers.google.com/identity/protocols/oauth2/web-server to learn how to generate the required data.
Microsoft: Go to https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow to learn how to generate the required data.
You will need the following data for the integration:
Scopes - this is the level of the authenticated user data that you allow your service provider to share with the application. For example, it can be:
For Google, we recommend using the
https://mail.google.com/scope for IMAP and POP3. For Microsoft, we recommend
When you complete the application registration process with your provider, you obtain the following unique credentials to authorise OAuth Client (for example, Jira) with the OAuth Server (for example, Google). Copy and paste them in Jira at the OAuth 2.0 site:
8. Save your configuration.
9. On the OAuth 2.0 integrations page, click Test connection to make sure the connection works.
If you receive a "Need Admin Approval" message when using Azure, this means that you do not have sufficient privileges to grant access to the Jira service account. You may need the register apps permission or Application consent.
If you're configuring OAuth 2.0 to connect to a mail server, you can select your integration as the Authentication method for this incoming mail server. Go to Jira configuration > System > Incoming mail to configure your server.
For details on how to reconfigure Jira Service Management's email channels to use your OAuth 2.0 integration, see Receiving requests by email.
OAuth 2.0 settings details
Select Google or Microsoft if it’s applicable, or use Custom for other integrations
A unique name for this integration.
The client ID generated by the provider. This is the public identifier of the application on the provider side.
The Client Secret generated by the provider. This is the shared secret between the application (such as Jira) and the provider ensuring the authorization is secure. This will not be viewable after saving.
The required OAuth 2.0 scopes for interacting with the provider. Learn more about scopes.
The HTTPS URL where authorization to use OAuth 2.0 is started.
The HTTPS URL where refresh token requests are sent. As OAuth 2.0 tokens have an expiry, Jira will periodically update the token.
The redirect URL that must be saved on the provider side. This redirects the authentication flow back to Jira to complete the initial process.