If you are writing a script that interacts with Jira through a REST API, you should authenticate using an OAuth token, rather than an embedded username/password. Here we describe one way to do the 'oauth dance' to generate a trusted token using Python 3 - specifically the
jirashell utility from the
jira Python package.
jirashell then forms a useful basis for a Python script. Our example script uses OAuth to call an undocumented REST API for querying license data.
On with the instructions.
Establishing OAuth trust
Install Python 3
python --version should show Python 3.x.
Create a venv
Install Python libraries
Generate an RSA public key
Create an application link
In Jira, create an applink. Applinks normally connect to other HTTP apps, but in this case our OAuth client doesn't have a URL, so use a fake one.
I originally created these instructions when creating an OAuth token for a Nagios Jira license monitor, hence the token I use is monitor-jira-license , and the fake URL is http://monitor-jira-license:
Jira will complain, but just click Continue:
On the next page, enter 'monitor-jira-license' as the Application Name. Leave other fields blank. Check the 'Create incoming link' checkbox:
On the next page, fill in:
|Consumer Key||monitor-jira-license||this key will be used in the script|
|Consumer Name||Monitor Jira License||any descriptive text|
|Public key||contents of rsa.pub|
Click 'Continue', and your application link will be created.
Now from your terminal, do the OAuth dance with your Jira installation:
Jirashell would normally try to launch your preferred web browser, using the webbrowser library. By setting the BROWSER env variable, we tell Python not to bother, and just print the URL for us to manually cut & paste. This is require for server environments, where
This should print a URL. Open it in your browser:
Click *Allow* in the Browser window:
After the URL, your terminal also should have displayed:
The jirashell command now proceeds to launch an IPython session:
oauth to print the OAuth object:
Now press ctrl-d to exit.
Test your OAuth token
Now embed the 'Request token' and 'Request token secret' values you saw above into a new jirashell command:
If successful, the
jira.server_info() command piped to stdin should succeed:
You now have the three things you need for your script: the token, the token secret, and
rsa.pub private key.
jirashell as a base for your script
If your script is Python, you can use
jirashell as a library to handle all the ugly command-line parsing. In my case:
This command can then be invoked using the same command-line flags as
Some JIRA REST calls are not wrapped in the Python JIRA library. For those, you can use the OAuth credentials with the
requests library directly, as follows:
You can invoke non-REST (
/secure/admin/* ) URLs with OAuth credentials too, but Jira's "websudo" authentication will demand a password, rendering OAuth useless.