Oomnitza uses several mechanisms for protecting integrations with external systems. The mechanisms allow Oomnitza to protect customer data from unauthorized access and from malicious or accidental changes.
Authentication
The Oomnitza Jira plugin, like other Atlassian Connect apps, uses JSON Web Tokens (JWT) for authentication in Jira. A security context is exchanged when the app is installed, and then this context is used to create and validate JWT tokens that are embedded in API calls.
The Oomnitza Jira Plugin Server (JPS) generates JWT tokens for each request to the Jira API. The JPS validates JWT tokens received from Jira. The JWT information includes the issuer, when the token was issued, when the token will expire, and a query string hash (a custom Atlassian claim that prevents URL tampering). To learn more, read Authentication for Connect apps.
The plugin is authenticated in Oomnitza using Oomnitza user credentials. The Jira user has to provide the correct credentials in the plugin window. After authentication, Oomnitza creates and supports a standard user session. Session time is restricted according to Oomnitza instance session configuration. The plugin receives and stores the browser storage authorization headers: Cookie and Oomnitza-session.
Authorization
The authenticated Oomnitza Jira Plugin has the same level of permissions as the corresponding Oomnitza user and sends authorization headers with each request.
The JPS sends an integration secret to the plugin configuration page. The JPS matches this integration secret during the Jira integration setup in Oomnitza and the security context.
Used scopes for Atlassian Connect apps
The JPS uses Atlassian static authorization via scopes.
Scopes allow an app to request a particular level of access to Jira.
The Oomnitza Jira Server uses only the following restricted scopes:
| Scope name | Description |
| READ | View, browse, and read information from Jira. |
| WRITE | Create or edit content in Jira, but not delete content. |
Connections
There is no direct connection between the plugin and Oomnitza. The JPS retransfers all requests from the plugin to the corresponding Oomnitza instance.
The following table describes protocols used to host communication between Jira, JPS, Oomnitza, and the Oomnitza Jira plugin:
| Direction | Protocol | Authentication |
| Jira to JPS | *443: HTTPS POST/GET requests | JWT |
| JPS to Jira API | *443: HTTPS POST/GET requests | JWT |
| Oomnitza to JPS | *443: HTTPS POST/GET requests | JWT, Integration secret, Cookie, and Oomnitza-session |
| Oomnitza Jira Plugin to JPS | *443: HTTPS POST/GET requests | Cookie and Oomnitza-session |
| JPS to Oomnitza | *443: HTTPS POST/GET retransferred requests from the Plugin | JWT, retransferred Cookie and Oomnitza-session from the Plugin |
* The Oomnitza application has security built into its design. Connections between the Oomnitza application, Oomnitza Jira Plugin, JPS, and Jira take place only over Secure Sockets Layer (SSL) using the latest version of Transport Layer Security (TLS) that the operating system is capable of using.
Comments
0 comments
Please sign in to leave a comment.