When you create an application link between two applications, OAuth authentication is used by default. This authentication type lets logged-in users take advantage of all the integration points between Atlassian applications.
On this page:
Authentication types for application links
The following types are available:
Atlassian only recommends using OAuth authentication for Application Links.
When you need to change the configuration of an application link
Depending on your permissions when you create an application (or the settings required in the application you are linking to), you might need to modify the authentication settings for an application link after it's been created. There are a few common scenarios in which you might need to change the configuration of an application link:
- You've set up an application link but users still have to authenticate regularly. This can occur when the application link has been configured to not share the same userbase. If those applications do share the same user base, you can update your application link authentication by selecting the Allow user impersonation through 2-Legged OAuth check box on the incoming authentication settings for the application link configuration.
- You want to continue using a link to an application that now allows public sign-on and the link was previously configured with a shared userbase. You can update your application link authentication by clearing the Allow user impersonation through 2-Legged OAuth check box on the incoming authentication settings for the application link configuration.
- You use a plugin that requires a specific authentication type.
Note that to get the full integration available in the Development panel in JIRA issues, JIRA must be connected with Stash, FishEye, Crucible or Bamboo using a 2-way application link that has both 2-legged (2LO) and 3-legged (3LO) authentication enabled. See Installing Atlassian Tools for Integration with JIRA for version information and connection details.
Security implications for each authentication type
OAuth is the authentication type we recommend. However, be aware of the following security implications:
- Adding an OAuth consumer requires the transmission of sensitive data. To prevent 'man-in-the-middle' attacks, it is recommended that you use SSL for your applications while configuring OAuth authentication.
- Do not link to an application using OAuth authentication, unless you trust all code in the application to behave itself at all times. OAuth consumers are a potential security risk to the applications that they are linked to because of the ability to impersonate users. If your server is compromised, the data there and on linked servers is at risk.
- New application links now use OAuth by default and enable both 3-legged OAuth (3LO) and 2-legged OAuth (2LO).
- When updating older application links (that perhaps used Trusted Apps authentication) to use OAuth, 3LO is enabled by default, but you need to explicitly enable 2LO using the check box in the application link configuration settings.
- Only use the 2LO with impersonation option in the application link configuration settings if your servers both have the same set of users and the servers fully trust each other.
We no longer recommend the Trusted Applications authentication type. If you do use Trusted Applications authentication, be aware of the following security implications:
- 信頼できるアプリケーションがセキュリティリスクを引き起こすかもしれません。信頼できるアプリケーションの認証を設定すると、1 つのアプリケーションに対し、他のアプリケーションへのアクセスをユーザーとして許可することになります。これは、組み込まれているセキュリティ対策すべてを回避します。信頼できるアプリケーションのすべてのコードがつねに適切に動作することを把握しており、アプリケーションがセキュリティのプライベートキーを維持する確証がない限り、信頼できるアプリケーションを設定しないでください。
- 両方のサーバーのユーザー群が同一であり、サーバーが相互に完全に信頼している場合にのみ、信頼されたアプリケーション認証を使用してください。
About impersonating and non-impersonating authentication types
Application links allow you to configure 'impersonating' and 'non-impersonating' authentication types:
- Impersonating authentication makes requests on behalf of the user who is currently logged in. People will see only the information that they have permission to see. This is available for OAuth and Trusted Applications authentication, and should only be used when two servers share the same user base.
- Non-impersonating authentication always uses a pre-configured user, and not the logged-in user, when making a request. The server handling the request determines the level of access to use based on the access permissions of that pre-configured user, and this is used for requests from all users. This is available for Basic HTTP authentication.