Confluence Integration Security
Confluence Cloud Authentication
TeamRetro utilizes OAuth2 authorization to integrate with Confluence Cloud instances. We request the following four access scopes:
|read:confluence-space.summary||Read list of Confluence spaces during configuration of the integration.|
|write:confluence-content||Create new pages for retrospective and health check reports|
|write:confluence-file||Add PDF attachment to retrospective and health check pages|
|read:confluence-content.summary||Allow TeamRetro to check if a parent page ("Retrospective" or "Health Check") exists.|
|offline_access||Allow TeamRetro to post meeting reports to Confluence without requiring re-authentication each time.|
Further information on these access scopes can be found at https://developer.atlassian.com/cloud/confluence/scopes/
Confluence Server Authentication
For Confluence Server it's via a Confluence username / password. As we need to send these across with the API they are stored encrypted but not hashed - so we do strongly recommend creating a separate Confluence user for TeamRetro. We are evaluating support for Oauth1 integration in future.
Calls to Confluence Server / Confluence Cloud will originate from our servers in AWS and are proxied via the fixed Elastic IP addresses. Legacy accounts remain proxied via QuotaGuard.
- US Environment - 22.214.171.124, 126.96.36.199 and 188.8.131.52
- EU Environment - 184.108.40.206, 220.127.116.11 and 18.104.22.168
In order to push retrospective and health check summary reports through to Confluence, we retrieve a list of confluence spaces to allow the administrator to select the target parent page in Confluence. Before creating a page for the retrospective or health check, TeamRetro will check to see if a suitable parent page (eg. "Retrospectives") already exists, and if not will create one.
We make use of the following APIs:
- /oauth/token/accessible-resources (GET)
get a list of Atlassian Cloud instances the user has access to (Confluence Cloud only)
- /rest/api/space (GET)
get a list of spaces in the selected Confluence instance
- /rest/api/content (GET)
check to see if "Retrospective"/"Health Check" parent page already exists
- /rest/api/content (POST/PUT)
create parent page / retrospective / health check page
- /rest/api/content/XXXXXXX/child/attachment (POST)
upload PDF summary attachment
We do not read any other content.