Atlassian Connect extensions for Json Web Token

Introduction

Provides support for handling Atlassian Connect specific Json Web Tokens. Specifically:

  • Decoding and validating Atlassian product host generated tokens that are sent as part of requests to the addon host
  • Creating tokens for inclusion when sending requests to the Atlassian product hosts * Both these include the qsh (query string hash) claim

  • Session tokens for the addon to use when communicating between it's own client and server components * These include a custom claim for the product host key

This library can be used on it's own (e.g. as part of your own custom Dart based Atlassian Connect client framework) or as part of the Atlassian Connect Shelf based server.

Using

Product Host Token

####Decoding####

To decode a JWT string

JsonWebToken<ProductHostClaimSet> jwt = decodeProductHostToken(jwtStr);

Validating

Validating is the same as per dart_jwt

Claim Set

In addition to the standard claims, the ProductHostClaimSet includes the custom claim qsh which can be accessed as follows

String qsh = jwt.claimSet.queryStringHash;

####Encoding#### A function encapsulates the process of creating the token (creating the claims, signing request etc)

String jwtToken = createProductHostToken('/some/host/path', 'GET',
    { 'param1': 'value1' }, sharedSecret, hostKey);

Addon Session Token

####Decoding####

To decode a JWT string

JsonWebToken<AddonSessionClaimSet> jwt = decodeAddonSessionToken(jwtStr);

Validating

Validating is the same as per dart_jwt

Claim Set

In addition to the standard claims, the AddonSessionClaimSet includes the custom claim productHostKey (as the issuer in this case is the addon itself) which can be accessed as follows

String productHostKey = jwt.claimSet.productHostKey;

####Encoding#### A function encapsulates the process of creating the token (creating the claims, signing request etc)

String jwtToken = createAddonSessionToken(addonSecret, addonKey, productHostKey, user);

Advanced Usage - QSH

The library also exposes the query string hash mechanism. To create a qsh

String qsh = createQshFromPath(String path, String method, 
                         Multimap<String, String> queryParameters)

Issues

  • Currently doesn't expose a way to configure the expiry timeouts of the claims.

Libraries

ac_dart.atlassian_connect_jwt.jwt