Aha Needs to Utilize JIRA API Token Based Authentication, Not Basic HTTP, for the JIRA Integration

There are security vulnerabilities associated with Basic HTTP.

JIRA offers a Token based authentication with their API. This needs to be utilized for a more secure integration.

Setting this idea as "need it yesterday" because of security concerns for those using the integration.

  • Tom McCormick
  • Oct 13 2017
  • Will not implement
Release time frame
  • Attach files
  • Admin
    Chris Waters commented
    October 13, 2017 16:25

    If you are using JIRA cloud then you can use the Aha! plugin which does use Oauth for authentication: https://marketplace.atlassian.com/plugins/io.aha.connect/cloud/overview.

    For on-premise JIRA systems the Oauth based authentication that JIRA offers would typically be desirable, however because of the architecture of JIRA it doesn't make sense for the integration with Aha!. Each JIRA instance operates completely independently of other JIRA instances - this is in contrast to other cloud based tools, like Salesforce, where there is central administrative control for all instances. This means that each Aha! user who wants to configure an Oauth integration between Aha! and JIRA also needs to create a consumer application within JIRA and share the secret for that consumer with Aha!. This secret is equivalent to the password being used for basic authentication - so there is no security advantage in using Oauth. With other SaaS applications (like Salesforce) only a single consumer application is required for all Aha! customers to share, and so the secret is only shared once. This means that the benefits of Oauth (like limited token lifetime) do actually add a benefit.

    As a consequence we do not plan to support Oauth for JIRA on premise. We believe the the current basic authentication over HTTPS approach is just as secure when used with a dedicated JIRA service account.