Authentication

Authentication between CMJ Cloud and an Atlassian Connect app

This page explains how to configure authentication between Configuration Manager for Jira Cloud (CMJ Cloud) and an Atlassian Connect app, which implements the SPI.

Sample app

Take a look at our sample app for guidance on configuring the authentication between your app and CMJ Cloud. See how the sample app authenticates in our public repository.

There are several types of interactions between CMJ Cloud and the app during normal operation:

  • CMJ Cloud to app - CMJ Cloud invokes SPI REST endpoints implemented by the app to start the migration process.

  • App to CMJ Cloud - The app invokes SPI REST APIs to request mapping data or report progress.

  • Download links - The app uses download links provided by CMJ Cloud to download data.

Authentication for each of these interactions is described in detail in the following sections.

CMJ Cloud to app

Invocations of app SPI endpoints by CMJ Cloud are secured via JWT authentication. CMJ Cloud will invoke the app only using "HTTPS" and will validate the server certificate provided by the app. The app must verify the signature of the provided JWT token using ‘publicKey’. This public key can be obtained by calling the SPI Keys API, hosted on CMJ Cloud. You must pass the key ID (kid) in the JWT header when making the call. The public key is the Base64 representation of DER-encoded X.509.

App to CMJ Cloud

During a migration, an app must invoke the CMJ Cloud Operations APIs to receive data and report progress and results.

When CMJ Cloud first invokes the app via one of the implemented SPI endpoints, it will provide an encrypted JWT token to be used for authentication when the app invokes the CMJ Cloud APIs.

This token can be used for multiple calls to the CMJ Cloud APIs but will only be valid for the current operation and a limited amount of time.

Download links

When calling certain SPI endpoints, CMJ Cloud will provide download links so the app can download the data that was exported from the source instance during the migration process.

These links are signed and expire after a limited amount of time. No further authentication on the app side is necessary.