Jira Integration Security
Jira Cloud Authentication
TeamRetro utilizes Oauth2 authorization to integrate with Jira Cloud instances. We request the following four access scopes:
|read:jira-work||Read project list and issue metadata during configuration of the integration.|
|write:jira-work||Write action items to Jira|
|read:jira-user|| Enable Jira / TeamRetro users to be matched for action item assignments (future)
|offline_access||Allow TeamRetro to post action items to Jira without requiring re-authentication each time.|
Further information on these access scopes can be found at https://developer.atlassian.com/cloud/jira/platform/scopes/
Jira Server Authentication
For Jira Server it's via a Jira username/password. As we need to send these across with the API they are stored encrypted but not hashed - so we do recommend creating a separate Jira user for TeamRetro. We are evaluating support for Oauth1 integration in the future.
Calls to Jira Server / Jira Cloud will originate from our servers in Salesforce Heroku / AWS EC2 and are proxied via the following fixed IP addresses (provided by QuotaGuard).
- US Environment - 188.8.131.52 and 184.108.40.206
- EU Environment - 220.127.116.11 and 18.104.22.168
In order to send action items through to Jira, we retrieve a list of projects, issue types and field definitions for the selected issue types to allow the administrator to select the target issue location in Jira, populate required values and select default values.
We make use of the following APIs:
- /rest/api/2/project (GET)
list projects to select target Jira project
- /rest/api/2/issue/createmeta/XXXXXX/issuetypes (GET)
list issue types associated with target Jira project
- /rest/api/2/issue/createmeta/XXXXXX/issuetypes/XXXXXXX (GET)
retrieve field definitions for target Issue Type
- /rest/api/2/issue/createmeta?expand=projects.issuetypes.fields (GET)
(this API is deprecated and only used for earlier versions of Jira)
- /rest/api/2/issue (POST)
create a Jira action
If after publishing a user opts to Undo the publish to Jira, we will attempt to delete the specific issue we created via the integration:
- /rest/api/2/issue/XXXXXX (DELETE)
We do not read any other issues / data.