If you are writing a script that interacts with Jira/Confluence through a REST API, you should authenticate using an OAuth token, rather than an embedded username/password. Here we describe one way to do the 'oauth dance' to generate a trusted token using Python 3 - specifically the jirashell
utility from the jira
Python package.
There are many attempts to explain this process on the internet. Every one I have found has been awful: either handwaving away details, or too dense, trying to explain the mechanics of OAuth with missionary zeal. Just tell me what to type and where to click, and give me my token!
On with the instructions.
Every OAuth token has a key: for the purposes, the key will be monitor-jira-license.
Install Python 3
Running python3
or python --version
should show Python 3.x.
Create a venv
mkdir jira-oauth cd jira-oauth python3 -m venv venv . venv/bin/activate
Install Python libraries
pip3 install jira ipython
Generate an RSA public key
openssl genrsa -out rsa.pem 2048 openssl rsa -in rsa.pem -pubout -out rsa.pub
Create an application link
In Jira (or Confluence), create an applink. Applinks normally connect to other HTTP apps, but in this case our OAuth client doesn't have a URL, so use a fake one:
Jira will complain, but just click Continue:
On the next page, enter 'monitor-jira-license' as the Application Name. Leave other fields blank. Check the 'Create incoming link' checkbox:
On the next page, fill in:
Field | Value | Notes |
---|---|---|
Consumer Key | monitor-jira-license | this key will be used in the script |
Consumer Name | Monitor Jira License | any descriptive text |
Public key | contents of rsa.pub |
Click 'Continue', and your application link will be created.
OAuth dance
Now from your terminal, do the OAuth dance with your Jira installation:
jirashell --server https://issues.redradishtech.com --consumer-key monitor-jira-license --key-cert rsa.pem --oauth-dance
At this point two things should happen: a browser window should launch asking for authorization:
Click *Allow* in the Browser window:
Your terminal should have displayed:
Your browser is opening the OAuth authorization for this client session. Have you authorized this program to connect on your behalf to https://issues.redradishtech.com? (y/n)
Actually, on Chrome on Linux, I find that launching the Chrome window printed some debug text, unhelpfully right after the (y/n) prompt:
Your browser is opening the OAuth authorization for this client session. Have you authorized this program to connect on your behalf to https://issues.redradishtech.com? (y/n)[1127:1155:0610/114150.937882:ERROR:browser_process_sub_ thread.cc(221)] Waited 7 ms for network service Opening in existing browser session.
Ignore the extra debugging: you're still being prompted for 'y' or 'n' at this point.
Press 'y'.
The jirashell command now proceeds to launch an IPython session:
<JIRA Shell 2.0.0 (https://issues.redradishtech.com)> *** JIRA shell active; client is in 'jira'. Press Ctrl-D to exit. In [1]:
Just for fun, run `jira.server_info()` to prove you're connected:
Press ctrl-d to exit.
Print your OAuth token
Jira trusts us. Now we need to print the token. Add '--print-tokens' to the last command:
jirashell --server https://issues.redradishtech.com --consumer-key monitor-jira-license --key-cert rsa.pem --oauth-dance --print-tokens
Output looks like:
Request tokens received. Request token: kLYKeT0g9EiJDDmqlxQTH9VjRs2fpFS6 Request token secret: snhWUlGQmzLu6I9ju1aQGNjulQQPT1lz Please visit this URL to authorize the OAuth request: https://issues.redradishtech.com/plugins/servlet/oauth/authorize?oauth_token=kLYKeT0g9EiJDDmqlxQTH9VjRs2fpFS6 Have you authorized this program to connect on your behalf to https://issues.redradishtech.com? (y/n)
Hit 'n'.
Test your OAuth token
Now embed the 'Request token' and 'Request token secret' values you saw above into a new jirashell command:
jirashell --server https://issues.redradishtech.com --access-token kLYKeT0g9EiJDDmqlxQTH9VjRs2fpFS6 --access-token-secret snhWUlGQmzLu6I9ju1aQGNjulQQPT1lz --key-cert rsa.pem <<< 'jira.server_info()'
If successful, the jira.server_info()
command piped to stdin should succeed:
<JIRA Shell 2.0.0 (https://issues.redradishtech.com)> *** JIRA shell active; client is in 'jira'. Press Ctrl-D to exit. In [1]: Out[1]: {'baseUrl': 'https://issues.redradishtech.com', 'version': '7.13.0', 'versionNumbers': [7, 13, 0], 'deploymentType': 'Server', 'buildNumber': 713000, 'buildDate': '2018-11-28T00:00:00.000+1100', 'scmInfo': 'fbf406879436de2f3fb1cfa09c7fa556fb79615a', 'serverTitle': 'Red Radish JIRA'} In [2]: Do you really want to exit ([y]/n)?