REST API Authentication On Atlassian using AWS Cognito as OAuth Provider

Atlassian provides REST APIs to perform a number of operations such as Create Page, Delete Page, Add Comment, Create Space, etc. However, it supports only two authentication methods for REST APIs:

  1. Basic Authentication
  2. Using OAuth 1.0

The REST API Authentication plugin allows you to use any third party OAuth 2.0 provider/ OpenID connect to authenticate REST APIs. Here we will go through a guide to configure AWS Cognito as Provider.

Step 1: Configure AWS Cognito server:

  • Sign in to AWS Amazon. Now enter “Cognito” in search textbox & select Cognito from dropdown.

AWS-Cognito as OpenID

 

  • Go to “Manage your user pools” and click on “Create a user pool”
  • Add pool name and select “Review Defaults”.
  • Click on “Add app client” & then click on Add an app client.
  • Enter App client name & then Click on “Create app client”.

AWS-Cognito as OpenID

  • Click on Return to pool details. After this click on “Create Pool”.
  • Navigate to App client settings. Select “Cognito User Pool”, add callback URL (your application’s Base URL).
  • Also, select Authorization code grant as “Allowed OAuth Flows” & select OpenID as “Allowed OAuth Scopes”.
  • After selecting all details click on Save changes button.

AWS-Cognito as OpenID

  • Go to “App client” and click on “Show details” to get a client ID and client secret.
  • Go to domain name and enter a domain name for your app. After adding domain name you can check its availability by clicking on “Check availability” button. After entering valid domain name click ”Save changes” button.

AWS-Cognito as OpenID

Step 2: Fetch Access token through POSTMAN

  • Open the Postman Application (Here is the link to download Postman Application).
  • Go to Authorization tab.
  • From the dropdown select type as OAuth 2.0 and  click on Get access token.
  • Add the following information from the table below.
  • Postman starts the authentication flow and prompts you to use the access token.
  • Select Add token to the header.
Field Value
Grant type Authorization Code or Client Credentials
Callback URL Enter your application’s base URL if you dont have a callback URL
Auth URL https://{DomainName}/oauth2/authorize
Access token URL https://{DomainName}/oauth2/token
Client ID Enter the AWS Cognito Client ID
Client secret Enter the AWS Cognito Client secret
Scope identify
Client Authentication Send as Basic Auth Header
  • Copy the Access Token or click on Use Token.

A sample access token from AWS Cognito Provider looks like this.

e8ec210628306b1df26ff61e6b9b3195814a2d79d38a2c7c1dc5836f6ddd7143

Step 3: Fetch Username through AWS Cognito:

  • Choose the method type as “GET“.
  • Enter the interoception Endpoint from the plugin to fetch the username in the Request URL. For AWS Cognito it is “”.
  • Go to the Authorization tab select the Bearer Token and enter the access token here.
  • Add the header “content-type: application/json” and click on Send.

AWS-Cognito as OpenID-username

Request:

     curl 
     -X GET 
     -H "Authorization: Bearer <Access Token>" 
     -H "Content-type: application/json" 
     https://discordapp.com/api/users/@me

Copy the attribute value against the username, you will need to configure it in plugin. In this example, the value is “username“.

Configure the Rest API plugin:

Step 1: Enable Rest API Authentication:

  • After installing the app, navigate to the app configurations through the Manage Apps dropdown.
  • Here you will have to Enable Authentication through Rest API Authentication.
  • In the dropdown provided select AWS Cognito as the OAuth provider.
  • Enter the attribute value against which we received the username in the Postman response.
  • Save the settings.’

 

 

 

Step 2: Disable Basic Authentication:

  • Disabling this will restrict all the REST API call made using Basic Authentication.

Test Atlassian REST API using access token:

  • Call any REST API of your Atlassian application. Include the access token in the Authorization header. Here’s an example of fetching content from Confluence.
  • Go to the Postman application select method type as GET and enter the Request URL. For eg. http://{Confluence_Base_URL}/rest/api/content/
  • In the Authorization tab select type as Bearer Token.

AWS-Cognito as OpenID-AccessToken

 

  • In the Header tab add the header “content-type: application/json and send the request.

AWS-Cognito as OpenID

Request:

     curl 
     -X GET  
     -H "Authorization: Bearer <Access Token>" 
     -H "Content-type: application/json" 
     http://{confluence_base_url}/rest/api/content/
  • This will show the content in Confluence and will return the status 200.
  • If the token is invalid or missing, the call will return a 401 Unauthorized response