Skip to end of metadata
Go to start of metadata

Redirection Notice

This page will redirect to OAuth Security for Application Links.

The instructions on this page describe how to configure OAuth for an application link. OAuth authentication allows a web application to share data/resources with any other OAuth-compliant external application, and is the protocol we recommend for application links.

You can configure:

  • outgoing authentication (authentication of requests sent from this application to a linked application), and/or 
  • incoming authentication (authentication of requests coming from a linked application into this application).

A typical scenario is setting up an application link between two applications that trust each other and that do not share the same set of users. In this case, you would configure OAuth for both outgoing authentication and incoming authentication. See Configuring authentication for an application link for other scenarios and configurations.

Key OAuth Terminology

  • Service provider — an application that shares ('provides') its resources.
  • Consumer — an application that accesses ('consumes') a service provider's resources.
  • User — an individual who has an account with the Service Provider.

On this page:

  • Adding an OAuth consumer requires the transmission of sensitive data. To prevent 'man-in-the-middle' attacks, it is recommended that you use SSL for your applications while configuring OAuth authentication.
  • Do not link to an application using OAuth authentication, unless you trust all code in the application to behave itself at all times. OAuth consumers are a potential security risk to the applications that they are linked to because of the ability to impersonate users. If your server is compromised, the data there and on linked servers is at risk.
  • New application links now use OAuth by default and enable both 3-legged OAuth (3LO) and 2-legged OAuth (2LO).
  • When updating older application links (that perhaps used Trusted Apps authentication) to use OAuth, 3LO is enabled by default, but you need to explicitly enable 2LO using the Allow 2-legged OAuth check box in the application link configuration settings.
  • Only use the 2LO with impersonation option in the application link configuration settings if your servers both have the same set of users and the servers fully trust each other.

  • The instructions assume that both of the applications that you are linking have the Application Links plugin installed. If the remote application that you are linking to supports OAuth, but does not have the Application Links plugin installed, you will need to configure OAuth from within the remote application (see the relevant administrator's documentation for the application) in addition to configuring the outgoing/incoming authentication for the application link (as described below).

Configuring outgoing OAuth authentication will allow your application to access data in a remote application on behalf of a user (i.e. allow this application to access specified functions in the remote application).

Configure OAuth authentication for an outgoing link:

  1. Log in as a system administrator and go to the administration page. Click Application Links in the administration menu. You'll see a list of the application links that have already been set up.
  2. Click Edit for the application link that you want to configure OAuth.
  3. Click the Outgoing Authentication tab, then the OAuth tab.
  4. Log in to the remote application, if necessary, using credentials for the remote server. The remote server accesses and stores your local server's public key.
  5. Click Enable to enable OAuth authentication for the outgoing link. 

Configuring incoming OAuth authentication will allow the remote application that you are linking to, to access data in your application on behalf of its users.

Configure OAuth authentication for an incoming link:

  1. Log in as a system administrator and go to the administration page. Click Application Links in the administration menu. You'll see a list of the application links that have already been set up.
  2. Click Edit for the application link that you want to configure OAuth for.
  3. Click the Incoming Authentication tab, then the OAuth tab.
  4. Click Enable to enable OAuth authentication for the incoming link. 

Configuring Basic HTTP authentication for an application link
Configuring Trusted Applications authentication for an application link

  • No labels

9 Comments

  1. The application links dialog has a 'Use 2-legged OAuth' checkbox, with a help icon which links here, but there is no mention of 2 legged OAuth on this page.

    1. This was addressed (somewhat) in February, 2014.

  2. Anonymous

    I do agree with comment above... totally no information about this here but it's direct page from the link (big grin) NIAH NIAH NIAH

  3. +1 for 2 Legged authentication info!

  4. Anonymous

    +1 for Tom Davies' comment about 2-legged authentication!!!

  5. Anonymous

    +1 for Tom Davies' comment about 2-legged authentication?

  6. The current JIRA cloud does not seem to have the 2LO checkbox or the "execute as" field. Does it still support 2LO? How do you set it up?

  7. I am also looking for 2LO checkbox, i don't see that with current version.

    How to enable 2LO with current version?

    1. As far as I can tell, 2LO is supported by default - but only anonymous. No "execute as".