Data Center 6.3
Versions

Crowd OAuth 2.0 provider API

Configuring an incoming link

On this page

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

Crowd provides APIs that allow external services to access resources on a user's behalf using the OAuth 2.0 protocol.

On this page:

Supported OAuth 2.0 flows

We support the following OAuth 2.0 flows:

We don’t support Implicit Grant and Resource Owner Password Credentials flows, as they'll be deprecated in the next OAuth 2.0 specification version. For more information on how these flows work, see the OAuth 2.0 RFC. This should help you understand the flows and choose the right one for you.

Security recommendations

Here are some recommendations to improve security:

  • Prevent CSRF attacks: to protect redirect-based flows, the OAuth 2.0 specification recommends using “One-time use CSRF tokens carried in the state parameter, which are securely bound to the user agent” using the state query parameter with each request to the /rest/oauth2/latest/authorize endpoint. This can prevent CSRF attacks.
  • Use HTTPS in production: For production environments, use HTTPS for the redirect uri. This is important because OAuth 2.0 bases its security on the transport layer. For more information, see the OAuth 2.0 RFC and the OAuth 2.0 Threat Model RFC. For the same reason, we also enforce HTTPS for the base URL of production environments. You can use insecure URIs and base URLs for staging or development environments by enabling the relevant system properties.

Authorization code with Proof Key for Code Exchange (PKCE)

This flow lets you securely perform the OAuth exchange of client credentials for access tokens on public clients. The following steps and parameters describe our implementation of this flow.

Before you begin

  • Register your application in Crowd by creating an incoming link in application links. During registration, you can enable proper scopes to limit the range of resources that the application can access. After creating the link, you should receive the OAuth 2.0 credentials: Client ID and Client secret - keep them secure. For more information, see Configure an incoming link.

  • Before starting the flow, generate the state (optional), code_verifier, code_challenge, and code_challenge_method.

Parameters

Here are the parameters you’ll use in this flow.

Parameter name

Description

Required

redirect_uri

URL the user is redirected to after authorizing the request.

Yes

client_id

Client ID generated by Crowd when registering your application.

Yes

response_type

Authorization code.

Yes

scope

Scopes that define the application’s permissions to the user account. Check out available permissions

Yes

code_challenge

For sha256, generate this using the following pseudocode: BASE64URL-ENCODE(SHA256(ASCII(code_verifier))). For plain, this can be the generated code_verifier.

Yes

code_challenge_method

Can be plain or sha256 depending on how the code_challenge was generated.

Yes

code_verifier

High-entropy cryptographic random STRING using the unreserved characters: [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~". It must be between 43-127 characters. For more info, see the RFC.

Yes

state

A value that can't be predicted. It will be used by the client to maintain the state between the request and callback. It should also be used as a CSRF token. It can be generated in a similar manner to code_verifier.

No

Making requests to the API with the access token

  1. Request an authorization code by redirecting the user to the /rest/oauth2/latest/authorize page with the following query parameters:

    curl https://atlassian.example.com/rest/oauth2/latest/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code&state=STATE&scope=SCOPE&code_challenge=CODE_CHALLENGE&code_challenge_method=S256
    This is the consent screen that asks the user to approve the application’s request to access their account with the scopes specified in scope. The user is then redirected to the URL specified in redirect_uri. The redirect includes the authorization code, like in the following example:
    https://atlassian.example.com/plugins/servlet/oauth2/consent?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code&scope=SCOPE&state=STATE&code_challenge_method=CODE_CHALLENGE_METHOD&code_challenge=CODE_CHALLENGE
  2. With the authorization code returned from the previous request, you can request an access_token, with any HTTP client. The following example uses curl:
    curl -X POST https://atlassian.example.com/rest/oauth2/latest/token?client_id=CLIENT_ID&code=CODE&grant_type=authorization_code&redirect_uri=REDIRECT_URI&code_verifier=CODE_VERIFIER

    Example response is:

    {

 "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6IjNmMTQ3NTUzYjg3OTQ2Y2FhMWJhYWJkZWQ0MzgwYTM4In0.EDnpBl0hd1BQzIRP--xEvyW1F6gDuiFranQCvi98b2c",

 "token_type": "bearer",

 "expires_in": 7200,

 "refresh_token": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6ImMwZTMxYmZjYTI2NWI0YTkwMzBiOGM2OTJjNWIyMTYwIn0.grHOsso3B3kaSxNd0QJfj1H3ayjRUuA75SiEt0usmiM",

 "created_at": 1607635748

}


  3. To retrieve a new access_token, use the refresh_token parameter. Refresh tokens may be used even after the access_token itself expires. The following request:

    • Invalidates the existing access_token and refresh_token.

    • Sends new tokens in the response
curl -X POST https://atlassian.example.com/rest/oauth2/latest/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&refresh_token=REFRESH_TOKEN&grant_type=refresh_token&redirect_uri=REDIRECT_URI

Example response is:

{

  "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6ImJmZjg4MzU5YTVkNGUyZmQ3ZmYwOTEwOGIxNjg4MDA0In0.BocpI91mpUzWskyjxHp57hnyl8ZcHehGJwmaBsGJEMg",

  "token_type": "bearer",

  "expires_in": 7200,

  "refresh_token": "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6Ijg1NjQ1YjA1NGJiYmZkNjVmMDNkMzliYzM0YzQ4MzZjIn0.4MSMIG46zjB9QCV-qCCglgojM5dL7_E2kcqmiV46YQ4",

  "created_at": 1628711391

}

You can now make requests to the API with the access token. For more info, see Access Crowd API with access token below.

Authorization code

This flow lets you securely perform the OAuth 2.0 exchange of client credentials for access tokens on public clients.

Parameters

Here are the parameters you’ll use in this flow:

Parameter name

Description

Required

redirect_uri

URL the user is redirected to after authorizing the request.

Yes

client_id

Client ID generated by Crowd when registering your application.

Yes

response_type

Authorization code.

Yes

scope

Scopes that define the application’s permissions to the user account. Check out available permissions

Yes

state

A value that can't be predicted. It will be used by the client to maintain state between the request and callback. It should also be used as a CSRF token.

No


Access Crowd API with access token

The access token allows you to make requests to the API on behalf of a user. You can put the token in the Authorization header:

curl --header "Authorization: Bearer OAUTH2-TOKEN" "https://atlassian.example.com//rest/admin/1.0/server-info"


Last modified on Apr 7, 2025

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.