Authentication across the Atlassian Ecosystem - AtlasCamp 2011
56
-
Upload
atlassian -
Category
Technology
-
view
1.039 -
download
3
description
How can you get your Atlassian products to use the same authentication and sign-on as the rest of your enterprise apps? We'll show you strategies for accomplishing this with the minimum amount of pain.Mark Lassau, JIRA Developer
Transcript of Authentication across the Atlassian Ecosystem - AtlasCamp 2011
2
Integration and Authentication”“
Mark LassauTeam Lead, JIRA Engine Room
3
• Work on JIRA's core
• DB, performance, Business Logic…
• Maintain the JIRA Service API
• Build the JIRA REST API
Engine Room Team
4
Integration and Authentication”“ Talking to external applications from your plugin
Dealing with OAuth
Non-Atlassian applications
Custom Authentication schemes
5
Introduction to Application Links”“
6
What is “Application Links”?
• a.k.a “App Links”, APL, UAL (Unified App Links)
• By itself – nothing – just an enabling library
• Helps you write plugins that can talk to external systems
Introduction to Application Links
7
Common configuration UI
Introduction to Application Links
• Consistent look and feel
• Shared configuration makes administration easier
• One less thing for plugin devs to write
8
What else do we get?
Introduction to Application Links
• Out of the box Authentication providers
• Factories to help plugins make authenticated remote requests
• Modular and extendable
9
Using Application Links in a plugin”“
10
Show me the code!
Using App Links in a Plugin
• Use the ApplicationLinkService to get an ApplicationLink
• Get a RequestFactory that will add appropriate authentication data
11
How easy is this?
Using App Links in a Plugin
• Create your HTTP request
• Execute it and parse the results!
12
Except …
… the CredentialsRequiredException
Using App Links in a Plugin
• If we are not able to authenticate yet
• This is mostly about OAuth
13
Authentication in App Links”“
14
Configuring Authentication methods
Authentication in App Links
• The admin sets up zero or more authentication providers
• Plugins usually accept “preferred” method, but can request a specific one
15
Available Authentication providers
• Basic Authentication
• Trusted Applications
• OAuth
• (+ Custom Authentication Providers)
Authentication in App Links
16
Basic Authentication
• Basic Auth sends a weakly encoded user/pass with every request
• Single credentials shared with all users
• Send every request over HTTPS to secure it
Authentication in App Links
17
Basic Auth – the Good
• Simple to configure
• You may want to use shared credentials?
Authentication in App Links
18
Basic Auth – the Bad
• Shared credentials
• Storing passwords is bad, mkay?
Authentication in App Links
19
Trusted Applications
• Atlassian proprietary protocol
• Provides “impersonating” authentication
• Assumes the user bases are exactly the same in both apps
Authentication in App Links
20
Trusted Apps – the Good
• Respects users privileges on external app
• Doesn't require a shared password
• No further authorisation required by users
• No special code required by plugins
Authentication in App Links
21
Trusted Apps – the Bad
• Will only connect to other Atlassian applications
• Only works for shared userbases
Authentication in App Links
22
OAuth
• Standards-based authorisation protocol
• Provides “impersonating” authentication
• Allows a user to grant third party access to external resources without sharing their password
Authentication in App Links
23
OAuth - the Good
• Standard protocol used by many 3rd party systems
• No storing of foreign passwords
• Allows disparate user bases
• User can grant and revoke access to their resources
Authentication in App Links
24
OAuth - the Bad
• User must explicitly grant access to their resources
• Plugins must implement the UI logic to gain access
Authentication in App Links
25
A bit about OAuth ”“
26
Three-Legged OAuth
(the “OAuth Love Triangle”)
A bit about OAuth
27
The OAuth Dance
User has not approved access yet
A bit about OAuth
28
The OAuth Dance
User must authenticate with the remote application
A bit about OAuth
29
The OAuth Dance
User grants the “client” access to her resources on the remote application.
A bit about OAuth
30
The OAuth Dance
The first application can now access data from the remote application.
A bit about OAuth
31
The OAuth Dance – behind the scenes
• Client gets temporary request token from Server
• Client redirects User to the Server with the request token
• User authenticates with Server
• Users grants access to resources and is redirected back to Client
• Client exchanges request token for Access Token
• Client can now access resources on Server on behalf of User!
A bit about OAuth
32
Doing the OAuth Dance”“Back to writing our plugin
33
The happy path
Doing the OAuth Dance
• Retrieve remote data and display to user
34
Dealing with CredentialsRequired
Doing the OAuth Dance
• We need to send the user to the remote server
• We supply a callback URL to come back to us when they are finished
35
Custom Application Types ”“Connecting to non-Atlassian Apps
36
Why Create a Custom Application Type?
Creating a custom Application Type
• Simpler more professional configuration
37
Why Create a Custom Application Type?
Creating a custom Application Type
• Control the available Authentication Providers
• Can use custom Authentication Providers
38
Why Create a Custom Application Type?
Creating a custom Application Type
• More professional look
• Implement the heartbeat ping
39
atlassian-plugin.xml
Creating a custom Application Type
40
Implement ApplicationType
Creating a custom Application Type
41
Implement ManifestProducer...
Creating a custom Application Type
42
Implement Manifest …
Creating a custom Application Type
43
Implement Manifest … authentication types
Creating a custom Application Type
44
Implement Manifest … mostly boilerplate
Creating a custom Application Type
45
Custom Authentication Providers ”“
46
atlassian-plugin.xml
Creating a custom Authentication Provider
47
AuthenticationProviderPluginModule - Custom UI
Creating a custom Authentication Provider
48
Custom config is inserted as an iframe
Creating a custom Authentication Provider
49
Storing the configuration settings
• AuthenticationConfigurationManager is provided for you
• Stores and retrieves arbitrary configuration
Creating a custom Authentication Provider
50
AuthenticationProviderPluginModule
• Creating an authentication provider
• We are going to use the SAL RequestFactory as a helper
Creating a custom Authentication Provider
51
AuthenticationProvider
• Returns a RequestFactory that will add authentication data
• Can be “impersonating” or “non-impersonating”
• Wrapping the SAL RequestFactory makes life easy
Creating a custom Authentication Provider
52
ApplicationLinkRequestFactory
• Use SAL RequestFactory to create a vanilla request
• Add headers (or whatever) in order to add authentication info
Creating a custom Authentication Provider
53
The circle is complete!
Creating a custom Authentication Provider
• Remember the old “authenticated request factory”?
#atlascamp
TAKE-AWAYS
54
App Links makes talking to external servers easy
OAuth is not as scary as it sounds
Specialist Application Types can be created
We can handle any authentication scheme
Thank you!
56
More Reading Application Links Documentationhttp://confluence.atlassian.com/display/APPLINKS/
App Links Developer docshttps://developer.atlassian.com/display/APPLINKS/
Example Twitter App Linkhttp://blogs.atlassian.com/developer/2011/06/unified_applinks_integration_without_the_hassle_-_part_1.html
OAuth 1.0 Guidehttp://hueniverse.com/oauth/
