JIRA Authentication API

Last modified by Josué Tille on 2025/07/16 12:25

Manage
- Copy
Actions
Viewers
- Source
- Siblings
- Attachments (1)
- History
- Information
- Likes

Product: XWiki

Type: Feature

Status: Idea

Participants

Josué Tille

Other URLs: https://jira.xwiki.org/browse/JIRA-83
https://jira.xwiki.org/browse/JIRA-84

Accepted: No

Description

Introduction

Currently the JIRA extension have only one way to authenticate to a JIRA server. We can do it with Basic Authentication with the credential set on the Admin page. This can be really restrictive in some cases. For instance if I want that the macro displayed on the wiki don't always show the same content depending of the user right on Jira. Also storing the service account credential clearly is not ideal.

To bring the possibility to fix theses different issue the idea would be to provide a public API for extending the Authentication feature with the XWiki components with an alternative system. The idea would be to keep the current Authention system by just adapting the code to work with the new API.

Design on the API Side

The jira extension have 2 way to send request on the Jira server:

With the Java HttpClient, this is used by the jira, jiraChart and jiraCount macros.
With a library form Atlassian. This is mostly used by jira script service.

Here are the list of change that I propose to add the possibility to add extends the way we do the authentication to Jira:

(optional) Upgrade HttpClient to HttpClientv5. This is not essential but as this might be used by some other project, it might be better to limit the breaking change as soon as we make the API public. And I saw some useful feature in the HttpClientv5 that seem not available in HttpClientv4.
Introduce a new class JIRAAuthenticator, which will handle the authentication part.
Remove the username and password fields of the JIRAServer class. And add 2 new fields jiraAuthenticator and authenticationData. After this change the credentials username and password will be stored in the authenticationData map.
Modify the method setPreemptiveBasicAuthentication() to call the corresponding JIRAAuthenticator to handle the authentication instead of adding in the authentication header in the HTTPJIRAFetcher class.
Add a new interface JIRAServerFactory to be to create a JIRAServer object depending of the configured authenticator. For each authentication type we will have a class of this interface @Named the type of authentication.

Here are proposed new interfaces that could be introduced in the JIRA project.

The new JIRAAuthenticator class:

public interface JIRAAuthenticator
{
    /**
     * @param jiraServer the JIRAServer instance.
     * @return the JiraRestClient instance configured by the provider.
     */
    AuthenticationHandler getRestClientAuthenticationHandler(JIRAServer jiraServer);

    /**
     * Authenticate in HttpClient
     */
    void authenticateInHttpClient(HttpClientContext context, HttpUriRequest request, HttpHost targetHost);

    /**
     * Provide the information if the {@link JIRAAuthenticator} will authenticate the request or leave the request as it
     * is. Useful in case we need to know if the request will be just with the public right or with a more specific
     * rights.
     *
     * @param jiraServer the JIRAServer instance.
     * @return true if {@link JIRAAuthenticator} will authenticate the request.
     */
    boolean isAuthenticatingRequest(JIRAServer jiraServer);
}

Proposal of change on theJIRAServer class:

public class JIRAServer
{
    private String url;

    private JIRAAuthenticator jiraAuthenticator;

    private Map<String, Object> authenticationData;

    // Constructor
    ....

    // getter
    ...

Proposal for the new interface JIRAServerFactory:

@Role
public interface JIRAServerFactory
{
    /**
     * Build a JIRAServer object based on the content of the XObject JIRA.JIRAConfigClass.
     *
     * @param baseObject the XObject of class JIRA.JIRAConfigClass to use for creating the JIRAServer object.
     * @return the JIRAServer object configured
     */
    JIRAServer get(BaseObject baseObject);
}

Design on UI side

Currently on the UI side we have one XClass JIRA.JIRAConfigClass. The idea would be to bring some change on this class to be able to mange multiple authentication system.

To store the basic username and password credential the idea would be in add a new XClass named JIRA.JIRAAuth.BasicClass. For this we will need to implement a migration to move the current data from the JIRA.JIRAConfigClass to the new object JIRA.JIRAAuth.BasicClass.

In the XClass JIRA.JIRAConfigClass, we will remove the username and password fields which are related to the authentication system and add an authenticationType fields. This field will provide the a list of the available type of authentication. For now the list will have "noAuthentication" and "basicAuth" and the idea would be to have later by example OAuth. In this class we will also add an additional field named authenticationData of type String to store the additional data related to the specific authentication system. By example for the basic auth case it could be the reference to the corresponding JIRA.JIRAAuth.BasicClass object.

Here are what would look like the JIRA administration page after the changes

JIRA Authentication API

Description

Introduction

Design on the API Side

Design on UI side

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected