If you are writing a script that interacts with Jira through a REST API, you should authenticate using an OAuth token, rather than an embedded username/password. Here we describe one way to do the 'oauth dance' to generate a trusted token using Python 3 - specifically the |
There are many attempts to explain this process on the internet. Every one I have found has been awful: either hand-waving away details, or too dense, trying to explain the mechanics of OAuth with missionary zeal. Just tell me what to type and where to click, and give me my token!
On with the instructions.
Running python3
or python --version
should show Python 3.x.
mkdir jira-oauth cd jira-oauth python3 -m venv venv . venv/bin/activate |
pip3 install jira ipython |
openssl genrsa -out rsa.pem 2048 openssl rsa -in rsa.pem -pubout -out rsa.pub |
In Jira (or Confluence), create an applink. Applinks normally connect to other HTTP apps, but in this case our OAuth client doesn't have a URL, so use a fake one.
I originally created these instructions when creating an OAuth token for a Nagios Jira license monitor, hence the token I use is monitor-jira-license , and the fake URL is http://monitor-jira-license:
Jira will complain, but just click Continue:
On the next page, enter 'monitor-jira-license' as the Application Name. Leave other fields blank. Check the 'Create incoming link' checkbox:
On the next page, fill in:
Field | Value | Notes |
---|---|---|
Consumer Key | monitor-jira-license | this key will be used in the script |
Consumer Name | Monitor Jira License | any descriptive text |
Public key | contents of rsa.pub |
Click 'Continue', and your application link will be created.
Now from your terminal, do the OAuth dance with your Jira installation:
BROWSER='echo %s' jirashell --server https://issues.redradishtech.com --consumer-key monitor-jira-license --key-cert rsa.pem --oauth-dance |
Jirashell would normally try to launch your preferred web browser, using the webbrowser library. By setting the BROWSER env variable, we tell Python not to bother, and just print the URL for us to manually cut & paste. This is require for server environments, where |
This should print a URL. Open it in your browser:
Click *Allow* in the Browser window:
After the URL, your terminal also should have displayed:
Your browser is opening the OAuth authorization for this client session. Have you authorized this program to connect on your behalf to https://issues.redradishtech.com? (y/n) |
Press 'y'.
The jirashell command now proceeds to launch an IPython session:
<JIRA Shell 2.0.0 (https://issues.redradishtech.com)> *** JIRA shell active; client is in 'jira'. Press Ctrl-D to exit. In [1]: |
Just for fun, run `jira.server_info()` to prove you're connected:
Press ctrl-d to exit.
Jira trusts us. Now we need to print the token. Add --print-tokens
to the last command:
jirashell --server https://issues.redradishtech.com --consumer-key monitor-jira-license --key-cert rsa.pem --oauth-dance --print-tokens |
Output looks like:
Request tokens received. Request token: kLYKeT0g9EiJDDmqlxQTH9VjRs2fpFS6 Request token secret: snhWUlGQmzLu6I9ju1aQGNjulQQPT1lz Please visit this URL to authorize the OAuth request: https://issues.redradishtech.com/plugins/servlet/oauth/authorize?oauth_token=kLYKeT0g9EiJDDmqlxQTH9VjRs2fpFS6 Have you authorized this program to connect on your behalf to https://issues.redradishtech.com? (y/n) |
Hit n
to abort.
Now embed the 'Request token' and 'Request token secret' values you saw above into a new jirashell command:
jirashell --server https://issues.redradishtech.com --access-token kLYKeT0g9EiJDDmqlxQTH9VjRs2fpFS6 --access-token-secret snhWUlGQmzLu6I9ju1aQGNjulQQPT1lz --key-cert rsa.pem <<< 'jira.server_info()' |
If successful, the jira.server_info()
command piped to stdin should succeed:
<JIRA Shell 2.0.0 (https://issues.redradishtech.com)> *** JIRA shell active; client is in 'jira'. Press Ctrl-D to exit. In [1]: Out[1]: {'baseUrl': 'https://issues.redradishtech.com', 'version': '7.13.0', 'versionNumbers': [7, 13, 0], 'deploymentType': 'Server', 'buildNumber': 713000, 'buildDate': '2018-11-28T00:00:00.000+1100', 'scmInfo': 'fbf406879436de2f3fb1cfa09c7fa556fb79615a', 'serverTitle': 'Red Radish JIRA'} In [2]: Do you really want to exit ([y]/n)? |
You now have the three things you need for your script: the token, the token secret, and rsa.pub
private key.
Note that if your script is Python, you can use jirashell
as a library to handle all the ugly command-line parsing. In my case:
$ cp venv/bin/jirashell check-jira-license $ vim check-jira-license # Make changes $ cat check-jira-license #!/home/jturner/src/redradish/nagios-jira-license/venv/bin/python3 from jira.jirashell import * options, basic_auth, oauth = get_config() jira = JIRA(options=options, basic_auth=basic_auth, oauth=oauth) print(jira.server_info()) |
This command can then be invoked using the same command-line flags as jirashell
:
./check-jira-license --server https://issues.redradishtech.com --access-token kLYKeT0g9EiJDDmqlxQTH9VjRs2fpFS6 --access-token-secret snhWUlGQmzLu6I9ju1aQGNjulQQPT1lz --key-cert rsa.pem |