This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

is there any way call Jira Rest APIs (OAuth 1.0a) from Apigee proxy

Posted on 01-30-2020 03:05 AM
pujakhetan5
New Member
Reply posted on --/--/---- --:-- AM

is there any way to call the Jira REST Apis with Oauth1.0a flow for jira authentication, how will it be possible to generate access token and how to revoke it.

Solved Solved
0 5 1,165
Topic Labels
Jump to Solution
0 Likes
Reply
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes. You can do it. But it will take some work on your part.

What you need is an OAuth1.0a CLIENT.

Apigee includes an OAuth1.0a SERVER side policy. In other words, the OAuthv1.0a policy VERIFIES an OAuth1.0a signature. What you want is different; you want to GENERATE an OAuthv1.0a signature.

There's no builtin policy in Apigee Edge that does this.

Let's back up a bit.

With an OAuth v1.0a-protected API, each inbound API request must be signed. It's not a bearer token model; it's a signature. Each new request needs to include a signature, which has been computed on a base string that includes a timestamp, a nonce, and a representation of the various oauth parameters (signing method, consumer key), and also a representation of the query and form parameters if any. That signature is going to be unique for every request. There's no replay possibility.

Recall, here's how OAuth v1.0a works:

- The first thing in OAuth v1.0a is to get a request token. This allows the client to prompt the user with a consent UI saying "do you want to allow this client?"

- if the user consents, the client (app) gets a verifier and sends that to the server to retrieve an access token and secret.

- the client then uses the access token and secret to sign subsequent requests.

I have an example of how to do this in Apigee for the Trello API. Trello uses an OAuthv1.0a, with HMAC-SHA1 signatures. My example uses JavaScript to compute the HMAC-SHA1 signature.

This won't work with Jira. Jira's API uses OAuth with RSA-SHA1 signing for authentication. This means that a private key is used to sign requests, rather than the OAuth token shared secret/consumer secret (HMAC). JavaScript callouts in Apigee *can* be used to do RSA signing, but it performs quite poorly.

What I recommend is to use a Java callout to create the OAuth 1.0a signature for Jira. Atlassian provides sample Java code to produce the signature; you should be able to use that to create a Java callout.

I don't have an example callout that does this, but you should be able to build one.

View solution in original post

Jump to Solution
0 Likes
Reply
5 REPLIES 5

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes. You can do it. But it will take some work on your part.

What you need is an OAuth1.0a CLIENT.

Apigee includes an OAuth1.0a SERVER side policy. In other words, the OAuthv1.0a policy VERIFIES an OAuth1.0a signature. What you want is different; you want to GENERATE an OAuthv1.0a signature.

There's no builtin policy in Apigee Edge that does this.

Let's back up a bit.

With an OAuth v1.0a-protected API, each inbound API request must be signed. It's not a bearer token model; it's a signature. Each new request needs to include a signature, which has been computed on a base string that includes a timestamp, a nonce, and a representation of the various oauth parameters (signing method, consumer key), and also a representation of the query and form parameters if any. That signature is going to be unique for every request. There's no replay possibility.

Recall, here's how OAuth v1.0a works:

- The first thing in OAuth v1.0a is to get a request token. This allows the client to prompt the user with a consent UI saying "do you want to allow this client?"

- if the user consents, the client (app) gets a verifier and sends that to the server to retrieve an access token and secret.

- the client then uses the access token and secret to sign subsequent requests.

I have an example of how to do this in Apigee for the Trello API. Trello uses an OAuthv1.0a, with HMAC-SHA1 signatures. My example uses JavaScript to compute the HMAC-SHA1 signature.

This won't work with Jira. Jira's API uses OAuth with RSA-SHA1 signing for authentication. This means that a private key is used to sign requests, rather than the OAuth token shared secret/consumer secret (HMAC). JavaScript callouts in Apigee *can* be used to do RSA signing, but it performs quite poorly.

What I recommend is to use a Java callout to create the OAuth 1.0a signature for Jira. Atlassian provides sample Java code to produce the signature; you should be able to use that to create a Java callout.

I don't have an example callout that does this, but you should be able to build one.

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
pujakhetan5
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks for the answer one more query, can node.js flow work as well for the Oauth1.0a flow where javacallout need to call.

As I am not sure about the jar execution for Oauth token generation.

How to execute this command java -jar OAuthTutorialClient-1.0.jar requestToken.

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to pujakhetan5
Reply posted on --/--/---- --:-- AM

Hi Puja

I do not recommend the use of a nodejs target for constructing an OAuth 1.0a token (signature). Creation of the signature is just a matter of doing some arithmetic, and using an external, out of process system to create that signature seems like a heavyweight solution to that problem. My opinion is that we should try to construct signatures with an in-process module. A Java callout fits that bill; a nodejs target does not. So that's why I suggest using a Java callout for this purpose.

Also, regarding how to execute "java -jar OAuthTutorialClient-1.0.jar"... well that is a command you can execute from your terminal on your dev workstation. But that same command will not work as a Java callout without some migration or re-work.

What you'd need to do is repackage the logic in OauthTutorialClient1-0... so that it is a Java callout. It must implement the "execute()" method. It should retrieve the request token from a context variable, and not from a command argument. and then Apigee can call it as a custom Java policy.

If you're new to Java callouts, then you may want to have a look at:

https://github.com/DinoChiesa/ApigeeEdge-JavaCallout101

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
enpes70
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

hello dchiesa1, you wrote you have an example of how to do this in Apigee for the Trello API. Trello uses an OAuthv1.0a, with HMAC-SHA1 signatures. My example uses JavaScript to compute the HMAC-SHA1 signature.

may I have a reference to your example, due the fact that's exactly my need ? thanks

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to enpes70
Reply posted on --/--/---- --:-- AM

Sure! Please find the working example attached. There's a README. 

 

bundle.zip
Jump to Solution
0 Likes
Reply