1

I am sending API requests to JIRA using JWT token authentication. I added the method (get, post, etc.) and the endpoint to SHA256 encoding. This succeeds:

qsh = Digest::SHA256.hexdigest("GET&#{endpoint}&")
jwt = JWT.encode({
                     qsh: qsh,
                     iat: issued_at,
                     exp: expires_at,
                     iss: key
                   }, secret)

However, I cannot add query parameters to the URI. If I append query parameters:

qsh = Digest::SHA256.hexdigest("GET&#{endpoint}&start=50&limit=50")
jwt = JWT.encode({
                     qsh: qsh,
                     iat: issued_at,
                     exp: expires_at,
                     iss: key
                   }, secret)

I receive unauthorized response 401.

MVP:

jira_request(:get,"/rest/servicedeskapi/servicedesk/#{serviceDeskId}/organization", nil)
def jira_request(method, endpoint, data)
    request = Typhoeus::Request.new(jira_rest_api_url(method, endpoint),
                                    followlocation: true, method: method,
                                    body: data ? data.to_json : nil,
                                    headers: { 'X-ExperimentalApi' => 'opt-in',
                                               'Content-Type' => 'application/json' })

request.on_complete do |response|
  if response.success? && !response.body.blank?
    return JSON.parse(response.body)
  elsif response.code == 204
    return true
  else
    return false
  end
end
request.run


end

  # Creating JWT token to Auth for each request
  def jira_rest_api_url(method, endpoint)
    # Gets the ADDON details for generating JWT token
    jwt_auth = MyJToken.first

issued_at = Time.now.utc.to_i
expires_at = issued_at + 500

qsh = Digest::SHA256.hexdigest("#{method.to_s.upcase}&#{endpoint}&")

jwt = JWT.encode({   qsh: qsh,
                     iat: issued_at,
                     exp: expires_at,
                     iss: jwt_auth.key
                   }, jwt_auth.secret)

# return the service call URL with the JWT token added
  "#{jwt_auth.api_base_url}#{endpoint}?jwt=#{jwt}"
end
  end
Improve this question
7
  • 1
    Please provide a minimal reproducible example. What is endpoint? Where do you actually trigger an API call? Can you give an example (with dummy credentials) of API calls that work/fail, with/without parameters? Commented Nov 8, 2018 at 10:42
  • @TomLord I have added a MCV model. api_base_url is my domain url, jwt_auth.key has my addon key and jwt_auth.secret has my shared secret. The request is triggered on request.run Commented Nov 8, 2018 at 11:14
  • I don't understand why you'd need to put GET in the URL. Is that really working?! As for the other parameters, these need to be proceeded by ?, not &. Commented Nov 8, 2018 at 16:13
  • developer.atlassian.com/cloud/bitbucket/query-string-hash/… this is the reference for generating query string hash for JWT token authentication in JIRA. Three parts Canonical method, Canonical URI, Canonical query string. The third part Canonical query string is the trickiest one for which I am searching for a solution @TomLord Commented Nov 8, 2018 at 16:40
  • Ahh OK, I see now. This question is specifically about the qsh, which is an Atlasssian-specific custom extension to JWT. Commented Nov 8, 2018 at 16:54

1 Answer 1

Reset to default
1

The parameters that are hashed in:

qsh = Digest::SHA256.hexdigest("GET&#{endpoint}&limit=50&start=50")

should be added in the request url:

"#{jwt_auth.api_base_url}#{endpoint}?jwt=#{jwt}&start=50&limit=50"
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.