SlideShare une entreprise Scribd logo

AtlasCamp 2014: Building a Connect Add-on With Your Own Stack

Atlassian
Atlassian

Atlassian provides two easy-to-use frameworks for getting a Connect add-on up and running quickly – atlassian-connect-express and ac-play. But what if these frameworks don't quite fit your bill? What does it mean to build a Connect add-on with your own stack? What components do you need to write? And how does it all fit together? Attending this talk will give you enough background information to implement an add-on in the language and technology stack of your choice.

Technologie
1  sur  31
Télécharger pour lire hors ligne
June 3-5, 2014 | Berlin, Germany
Patrick Streule, Architect, Atlassian Build a Connect Add-on with Your Own Stack
• Atlassian Connect Express: node.js/express • Atlassian Connect Play: Java/Play • ACE and AC-Play provide: • Authentication handling (both directions) • Lifecycle handling • Persistence ACE/AC-Play vs Your Own
• You have an existing service that will host the add-on • Development in your company happens on a different stack • Connect does not prescribe a stack at all ACE/AC-Play vs Your Own
Overview
Product Overview WEBHOOKS REST API REST API HTTP Add-On
Serve descriptor and add-on UI
 ☑ Web server / web framework
 ☑ SSL certificate Handle add-on installation
 ☑ Persistent store Handle add-on requests
 ☑ JWT token handler
 ☑ Crypto library
 ☑ JSON and HttpClient libs Checklist
The Minimum Viable Add-On
• Description of the Add-On • Where does it show up? • Where are the add-on endpoints? • General Metadata The Descriptor {! "key": "atlas-camp",! "name": "AtlasCamp",! "baseUrl": “https://addon.example.com”,! "authentication": {! "type": "none"! },! "modules": {! "generalPages": [! {! "url": "/intro.html",! "key": "intro-page",! "name": {! "value": "Atlas Camp"! }! }! ]! }! }
The Content <!DOCTYPE html>! <html>! <head>! <title>Atlas Camp</title>! <script src=“https://someinstance.jira.com/atlassian-connect/all.js”></script>! ! <style>body { text-align: center; padding-top: 50px; }</style>! </head>! <body>! <div class=“ac-content”>! <a href=“https://www.atlassian.com/atlascamp/2014">! ! <img src=“img/atlas-camp.png"/>! </a>! </div>! </body>! </html>
The Result
• HTTPS in production, HTTP for development only • Include all.js from the host: The Important Bits var hostBaseUrl = getUrlParameter("xdm_e");! var contextPath = getUrlParameter("cp");! loadScript(hostBaseUrl + contextPath + "/atlassian-connect/all.js");
Adding Authentication: Installation Event
• Authentication type: JWT • Installed Lifecycle hook is required. • Will be called during installation • Other hooks: • Uninstalled, Enabled, Disabled ! Setting it up {! "key": "atlas-camp",! "name": "AtlasCamp",! "baseUrl": “https://addon.example.com”,! "authentication": {! "type": "jwt"! },! "lifecycle": {! "installed": "/installed",! "uninstalled": "/uninstalled"! }! }
Installation event • clientKey
 Identifies the tenant • sharedSecret
 The key for signing and verifying JWT tokens • baseUrl
 The host and context path of the product
Adding Authentication: JWT
• Authenticity • Parties are who they claim to be • Integrity • The request was not tampered with • Authorization (special case in Connect) • User has access to the pages and issues referenced by URL parameters JWT
JWT: Anatomy of a token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiO jE0MDEwODEwMzgsInN1YiI6ImZmODA4MTgxNDBjMDcyOWE wMTQwY2Q0NWE5MWQwMDBkIiwiaXNzIjoiQ29uZmx1ZW5jZ TowNzA3MjM3MjM2IiwicXNoIjoiMjU5YzZkNjU1NjEwYzg yNzE3MDMxNWEwMTM1ZGI0OTAwODYxZjkxYzA5NDdlM2I2N jY2NjgyZTkzMDU1NWFiNCIsImlhdCI6MTQwMTA4MDg1OH0 .iSmtl3ukm8EohrCwO94MF7sXeEFtIRQ-aBggghjlE0E
JWT: Anatomy of a token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiO jE0MDEwODEwMzgsInN1YiI6ImZmODA4MTgxNDBjMDcyOWE wMTQwY2Q0NWE5MWQwMDBkIiwiaXNzIjoiQ29uZmx1ZW5jZ TowNzA3MjM3MjM2IiwicXNoIjoiMjU5YzZkNjU1NjEwYzg yNzE3MDMxNWEwMTM1ZGI0OTAwODYxZjkxYzA5NDdlM2I2N jY2NjgyZTkzMDU1NWFiNCIsImlhdCI6MTQwMTA4MDg1OH0 .iSmtl3ukm8EohrCwO94MF7sXeEFtIRQ-aBggghjlE0E Header Payload, Claims Signature
JWT: Anatomy of a token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiO jE0MDEwODEwMzgsInN1YiI6ImZmODA4MTgxNDBjMDcyOWE wMTQwY2Q0NWE5MWQwMDBkIiwiaXNzIjoiQ29uZmx1ZW5jZ TowNzA3MjM3MjM2IiwicXNoIjoiMjU5YzZkNjU1NjEwYzg yNzE3MDMxNWEwMTM1ZGI0OTAwODYxZjkxYzA5NDdlM2I2N jY2NjgyZTkzMDU1NWFiNCIsImlhdCI6MTQwMTA4MDg1OH0 .iSmtl3ukm8EohrCwO94MF7sXeEFtIRQ-aBggghjlE0E {"alg":"HS256","typ":"JWT"} {! "exp": 1401081038,! "sub": “ff808…d000d”,! "iss": "Confluence:070789",! "qsh": “259c6…55ab4”,! "iat": 1401080858! } HMAC using SHA-256 Expires at Subject Issuer Query String Hash Issued at BTW: Never rely on this prefix!
JWT Verification: Step 1 base64url(sign(‘eyJhbGciOiJIUzI1NiIsInR5cCI6Ik pXVCJ9.eyJleHAiOjE0MDEwODEwMzgsInN1YiI6ImZmODA 4MTgxNDBjMDcyOWEwMTQwY2Q0NWE5MWQwMDBkIiwiaXNzI joiQ29uZmx1ZW5jZTowNzA3MjM3MjM2IiwicXNoIjoiMjU 5YzZkNjU1NjEwYzgyNzE3MDMxNWEwMTM1ZGI0OTAwODYxZ jkxYzA5NDdlM2I2NjY2NjgyZTkzMDU1NWFiNCIsImlhdCI 6MTQwMTA4MDg1OH0’, 
 header.alg, tenants[claims.iss].sharedSecret))! ! == iSmtl3ukm8EohrCwO94MF7sXeEFtIRQ-aBggghjlE0E ?
JWT Verification: Step 2 a=5,7&lic=none&page.id=19809&user_id=pstreule {! "baseUrl": “https://addon.example.com/base”,…! } GET /base/render?page.id=19809&a=7&a=5&user_id=pstreule&lic=none&jwt=eY… "qsh": “259c6…55ab4” hex(sha256(‘GET&…’)) remove context path remove ‘jwt’, order keys and values, apply OAuth1 encoding rulesuppercase /renderGET &&
• Characters in the unreserved character set MUST NOT be encoded: (ALPHA, DIGIT, "-", ".", "_", "~") • All other characters MUST be encoded • The two hexadecimal characters 
 used to represent encoded characters 
 MUST be uppercase. Pitfalls Raw Encoded SPACE %20 * %2A ! %21 ' %27 ( %28 ) %29
• JWT tokens used on incoming and outgoing requests • URL Parameter: jwt=eY… • HTTP header: Authorization: JWT eY… • Find more information • http://go.atlassian.com/ac-docs • http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html JWT Summary
Adding Authentication: Add-On to Add-On
• Do not use session cookies • Cookies set by the iframe are third-party cookies • Many browsers don’t accept them by default Pitfalls
• How to handle authentication for intra-add-on Ajax calls and links. Your own requests
• Create a JWT token for the tenant and user • QSH is optional, depending on the parameter data Reuse JWT {! "exp": 1401081038,! "sub": “ff808…d000d”,! "iss": "Confluence:070789",! "iat": 1401080858! }
Dev Speed
Quick descriptor deployment curl -i -X HEAD -u admin:admin 
 http://localhost:2990/jira/rest/plugins/1.0/ HTTP/1.1 200 OK! upm-token: 7864481825707347853 curl -i -X POST -u admin:admin ! -H "Content-type: application/vnd.atl.plugins.remote.install+json" 
 -d '{"pluginUri":"http://localhost:3000/atlassian-connect.json"}'! http://localhost:2990/jira/rest/plugins/1.0/?token=7864481825707347853
We’re here to help
 http://go.atlassian.com/ac-dev

Recommandé

AtlasCamp 2014: Static Connect Add-ons
AtlasCamp 2014: Static Connect Add-onsAtlasCamp 2014: Static Connect Add-ons
AtlasCamp 2014: Static Connect Add-ons
Atlassian
 
AtlasCamp 2014: 10 Things a Front End Developer Should Know About Connect
AtlasCamp 2014: 10 Things a Front End Developer Should Know About ConnectAtlasCamp 2014: 10 Things a Front End Developer Should Know About Connect
AtlasCamp 2014: 10 Things a Front End Developer Should Know About Connect
Atlassian
 
AtlasCamp 2014: Writing Connect Add-ons for Confluence
AtlasCamp 2014: Writing Connect Add-ons for ConfluenceAtlasCamp 2014: Writing Connect Add-ons for Confluence
AtlasCamp 2014: Writing Connect Add-ons for Confluence
Atlassian
 
AtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect SecurityAtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect Security
Atlassian
 
Preparing your web services for Android and your Android app for web services...
Preparing your web services for Android and your Android app for web services...Preparing your web services for Android and your Android app for web services...
Preparing your web services for Android and your Android app for web services...
Droidcon Eastern Europe
 
Consuming Web Services in Android
Consuming Web Services in AndroidConsuming Web Services in Android
Consuming Web Services in Android
David Truxall
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Android
sullis
 
Bigger Stronger Faster
Bigger Stronger FasterBigger Stronger Faster
Bigger Stronger Faster
Chris Love
 

Recommandé

AtlasCamp 2014: Static Connect Add-ons
AtlasCamp 2014: Static Connect Add-onsAtlasCamp 2014: Static Connect Add-ons
AtlasCamp 2014: Static Connect Add-ons
Atlassian
 
AtlasCamp 2014: 10 Things a Front End Developer Should Know About Connect
AtlasCamp 2014: 10 Things a Front End Developer Should Know About ConnectAtlasCamp 2014: 10 Things a Front End Developer Should Know About Connect
AtlasCamp 2014: 10 Things a Front End Developer Should Know About Connect
Atlassian
 
AtlasCamp 2014: Writing Connect Add-ons for Confluence
AtlasCamp 2014: Writing Connect Add-ons for ConfluenceAtlasCamp 2014: Writing Connect Add-ons for Confluence
AtlasCamp 2014: Writing Connect Add-ons for Confluence
Atlassian
 
AtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect SecurityAtlasCamp 2014: Connect Security
AtlasCamp 2014: Connect Security
Atlassian
 
Preparing your web services for Android and your Android app for web services...
Preparing your web services for Android and your Android app for web services...Preparing your web services for Android and your Android app for web services...
Preparing your web services for Android and your Android app for web services...
Droidcon Eastern Europe
 
Consuming Web Services in Android
Consuming Web Services in AndroidConsuming Web Services in Android
Consuming Web Services in Android
David Truxall
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Android
sullis
 
Bigger Stronger Faster
Bigger Stronger FasterBigger Stronger Faster
Bigger Stronger Faster
Chris Love
 
Going on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceGoing on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web Performance
Adam Norwood
 
The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018
Brecht Ryckaert
 
Optimising Web Application Frontend
Optimising Web Application FrontendOptimising Web Application Frontend
Optimising Web Application Frontend
tkramar
 
Automated Testing with Google Chrome - WebDriver- ChromeDriver
Automated Testing with Google Chrome - WebDriver- ChromeDriverAutomated Testing with Google Chrome - WebDriver- ChromeDriver
Automated Testing with Google Chrome - WebDriver- ChromeDriver
Manoj Kumar Kumar
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
 
WordPress Setup and Security - WordCamp, Charleston 2014
WordPress Setup and Security - WordCamp, Charleston 2014WordPress Setup and Security - WordCamp, Charleston 2014
WordPress Setup and Security - WordCamp, Charleston 2014
Michael Carnell
 
Real time web (Orbited) at BCNE3
Real time web (Orbited) at BCNE3Real time web (Orbited) at BCNE3
Real time web (Orbited) at BCNE3
Alex Kavanagh
 
Android and REST
Android and RESTAndroid and REST
Android and REST
Roman Woźniak
 
Search in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize itSearch in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize it
Otto Kekäläinen
 
Getting started with node JS
Getting started with node JSGetting started with node JS
Getting started with node JS
Hamdi Hmidi
 
Browserscope oscon 2011
Browserscope oscon 2011Browserscope oscon 2011
Browserscope oscon 2011
lsimon
 
Client Side Optimization
Client Side OptimizationClient Side Optimization
Client Side Optimization
Patrick Huesler
 
How to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPressHow to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPress
Otto Kekäläinen
 
Use Xdebug to profile PHP
Use Xdebug to profile PHPUse Xdebug to profile PHP
Use Xdebug to profile PHP
Seravo
 
Ng init | EPI Sousse
Ng init | EPI SousseNg init | EPI Sousse
Ng init | EPI Sousse
Hamdi Hmidi
 
Automated Web App Performance Testing Using WebDriver
Automated Web App Performance Testing Using WebDriverAutomated Web App Performance Testing Using WebDriver
Automated Web App Performance Testing Using WebDriver
seleniumconf
 
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
Matt Raible
 
Introduction to MongoDB
Introduction to MongoDBIntroduction to MongoDB
Introduction to MongoDB
Moshe Kaplan
 
How a Hacker Sees Your Site
How a Hacker Sees Your SiteHow a Hacker Sees Your Site
How a Hacker Sees Your Site
Patrick Laverty
 
Go With The Reflow
Go With The ReflowGo With The Reflow
Go With The Reflow
lsimon
 
Best Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseBest Practices for WordPress in Enterprise
Best Practices for WordPress in Enterprise
Taylor Lovett
 
Woah, You Can Test IE & Microsoft Edge on a Mac?
Woah, You Can Test IE & Microsoft Edge on a Mac?Woah, You Can Test IE & Microsoft Edge on a Mac?
Woah, You Can Test IE & Microsoft Edge on a Mac?
reybango
 

Contenu connexe

Tendances

Optimising Web Application Frontend
Optimising Web Application FrontendOptimising Web Application Frontend
Optimising Web Application Frontend
tkramar
 
Browserscope oscon 2011
Browserscope oscon 2011Browserscope oscon 2011
Browserscope oscon 2011
lsimon
 
Automated Web App Performance Testing Using WebDriver
Automated Web App Performance Testing Using WebDriverAutomated Web App Performance Testing Using WebDriver
Automated Web App Performance Testing Using WebDriver
seleniumconf
 

Tendances (20)

Going on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceGoing on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web Performance
 
The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018The Anatomy Of A Hack - WordCamp Sofia 2018
The Anatomy Of A Hack - WordCamp Sofia 2018
 
Optimising Web Application Frontend
Optimising Web Application FrontendOptimising Web Application Frontend
Optimising Web Application Frontend
 
Automated Testing with Google Chrome - WebDriver- ChromeDriver
Automated Testing with Google Chrome - WebDriver- ChromeDriverAutomated Testing with Google Chrome - WebDriver- ChromeDriver
Automated Testing with Google Chrome - WebDriver- ChromeDriver
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?
 
WordPress Setup and Security - WordCamp, Charleston 2014
WordPress Setup and Security - WordCamp, Charleston 2014WordPress Setup and Security - WordCamp, Charleston 2014
WordPress Setup and Security - WordCamp, Charleston 2014
 
Real time web (Orbited) at BCNE3
Real time web (Orbited) at BCNE3Real time web (Orbited) at BCNE3
Real time web (Orbited) at BCNE3
 
Android and REST
Android and RESTAndroid and REST
Android and REST
 
Search in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize itSearch in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize it
 
Getting started with node JS
Getting started with node JSGetting started with node JS
Getting started with node JS
 
Browserscope oscon 2011
Browserscope oscon 2011Browserscope oscon 2011
Browserscope oscon 2011
 
Client Side Optimization
Client Side OptimizationClient Side Optimization
Client Side Optimization
 
How to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPressHow to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPress
 
Use Xdebug to profile PHP
Use Xdebug to profile PHPUse Xdebug to profile PHP
Use Xdebug to profile PHP
 
Ng init | EPI Sousse
Ng init | EPI SousseNg init | EPI Sousse
Ng init | EPI Sousse
 
Automated Web App Performance Testing Using WebDriver
Automated Web App Performance Testing Using WebDriverAutomated Web App Performance Testing Using WebDriver
Automated Web App Performance Testing Using WebDriver
 
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015
 
Introduction to MongoDB
Introduction to MongoDBIntroduction to MongoDB
Introduction to MongoDB
 
How a Hacker Sees Your Site
How a Hacker Sees Your SiteHow a Hacker Sees Your Site
How a Hacker Sees Your Site
 
Go With The Reflow
Go With The ReflowGo With The Reflow
Go With The Reflow
 

Similaire à AtlasCamp 2014: Building a Connect Add-on With Your Own Stack

[4developers2016] - Security in the era of modern applications and services (...
[4developers2016] - Security in the era of modern applications and services (...[4developers2016] - Security in the era of modern applications and services (...
[4developers2016] - Security in the era of modern applications and services (...
PROIDEA
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
Sergey Podgornyy
 
Best practices-wordpress-enterprise
Best practices-wordpress-enterpriseBest practices-wordpress-enterprise
Best practices-wordpress-enterprise
Taylor Lovett
 
SharePoint and Office 365 Development Workshop
SharePoint and Office 365 Development WorkshopSharePoint and Office 365 Development Workshop
SharePoint and Office 365 Development Workshop
Eric Shupps
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
 
Extending OnDemand with Atlassian Connect Add-ons
Extending OnDemand with Atlassian Connect Add-onsExtending OnDemand with Atlassian Connect Add-ons
Extending OnDemand with Atlassian Connect Add-ons
colleenfry
 
How to Contribute to Apache Usergrid
How to Contribute to Apache UsergridHow to Contribute to Apache Usergrid
How to Contribute to Apache Usergrid
David M. Johnson
 

Similaire à AtlasCamp 2014: Building a Connect Add-on With Your Own Stack (20)

Best Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseBest Practices for WordPress in Enterprise
Best Practices for WordPress in Enterprise
 
Woah, You Can Test IE & Microsoft Edge on a Mac?
Woah, You Can Test IE & Microsoft Edge on a Mac?Woah, You Can Test IE & Microsoft Edge on a Mac?
Woah, You Can Test IE & Microsoft Edge on a Mac?
 
[4developers2016] - Security in the era of modern applications and services (...
[4developers2016] - Security in the era of modern applications and services (...[4developers2016] - Security in the era of modern applications and services (...
[4developers2016] - Security in the era of modern applications and services (...
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Best practices-wordpress-enterprise
Best practices-wordpress-enterpriseBest practices-wordpress-enterprise
Best practices-wordpress-enterprise
 
Streams API (Web Engines Hackfest 2015)
Streams API (Web Engines Hackfest 2015)Streams API (Web Engines Hackfest 2015)
Streams API (Web Engines Hackfest 2015)
 
RESTful web
RESTful webRESTful web
RESTful web
 
Generating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status CodesGenerating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status Codes
 
SharePoint and Office 365 Development Workshop
SharePoint and Office 365 Development WorkshopSharePoint and Office 365 Development Workshop
SharePoint and Office 365 Development Workshop
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flash
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with Keycloak
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
 
AngularJS Basics
AngularJS BasicsAngularJS Basics
AngularJS Basics
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
Extending OnDemand with Atlassian Connect Add-ons
Extending OnDemand with Atlassian Connect Add-onsExtending OnDemand with Atlassian Connect Add-ons
Extending OnDemand with Atlassian Connect Add-ons
 
How to Contribute to Apache Usergrid
How to Contribute to Apache UsergridHow to Contribute to Apache Usergrid
How to Contribute to Apache Usergrid
 
Great webapis
Great webapisGreat webapis
Great webapis
 
How to Test IE & Microsoft Edge on OS X & Linux - SFHTML
How to Test IE & Microsoft Edge on OS X & Linux - SFHTMLHow to Test IE & Microsoft Edge on OS X & Linux - SFHTML
How to Test IE & Microsoft Edge on OS X & Linux - SFHTML
 
Building APIs with NodeJS on Microsoft Azure Websites - Redmond
Building APIs with NodeJS on Microsoft Azure Websites - RedmondBuilding APIs with NodeJS on Microsoft Azure Websites - Redmond
Building APIs with NodeJS on Microsoft Azure Websites - Redmond
 

Plus de Atlassian

Design Your Next App with the Atlassian Vendor Sketch Plugin
Design Your Next App with the Atlassian Vendor Sketch PluginDesign Your Next App with the Atlassian Vendor Sketch Plugin
Design Your Next App with the Atlassian Vendor Sketch Plugin
Atlassian
 
Tear Up Your Roadmap and Get Out of the Building
Tear Up Your Roadmap and Get Out of the BuildingTear Up Your Roadmap and Get Out of the Building
Tear Up Your Roadmap and Get Out of the Building
Atlassian
 
Nailing Measurement: a Framework for Measuring Metrics that Matter
Nailing Measurement: a Framework for Measuring Metrics that MatterNailing Measurement: a Framework for Measuring Metrics that Matter
Nailing Measurement: a Framework for Measuring Metrics that Matter
Atlassian
 
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Atlassian
 
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed TeamThe Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
Atlassian
 

Plus de Atlassian (20)

International Women's Day 2020
International Women's Day 2020International Women's Day 2020
International Women's Day 2020
 
10 emerging trends that will unbreak your workplace in 2020
10 emerging trends that will unbreak your workplace in 202010 emerging trends that will unbreak your workplace in 2020
10 emerging trends that will unbreak your workplace in 2020
 
Forge App Showcase
Forge App ShowcaseForge App Showcase
Forge App Showcase
 
Let's Build an Editor Macro with Forge UI
Let's Build an Editor Macro with Forge UILet's Build an Editor Macro with Forge UI
Let's Build an Editor Macro with Forge UI
 
Meet the Forge Runtime
Meet the Forge RuntimeMeet the Forge Runtime
Meet the Forge Runtime
 
Forge UI: A New Way to Customize the Atlassian User Experience
Forge UI: A New Way to Customize the Atlassian User ExperienceForge UI: A New Way to Customize the Atlassian User Experience
Forge UI: A New Way to Customize the Atlassian User Experience
 
Take Action with Forge Triggers
Take Action with Forge TriggersTake Action with Forge Triggers
Take Action with Forge Triggers
 
Observability and Troubleshooting in Forge
Observability and Troubleshooting in ForgeObservability and Troubleshooting in Forge
Observability and Troubleshooting in Forge
 
Trusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelTrusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy Model
 
Designing Forge UI: A Story of Designing an App UI System
Designing Forge UI: A Story of Designing an App UI SystemDesigning Forge UI: A Story of Designing an App UI System
Designing Forge UI: A Story of Designing an App UI System
 
Forge: Under the Hood
Forge: Under the HoodForge: Under the Hood
Forge: Under the Hood
 
Access to User Activities - Activity Platform APIs
Access to User Activities - Activity Platform APIsAccess to User Activities - Activity Platform APIs
Access to User Activities - Activity Platform APIs
 
Design Your Next App with the Atlassian Vendor Sketch Plugin
Design Your Next App with the Atlassian Vendor Sketch PluginDesign Your Next App with the Atlassian Vendor Sketch Plugin
Design Your Next App with the Atlassian Vendor Sketch Plugin
 
Tear Up Your Roadmap and Get Out of the Building
Tear Up Your Roadmap and Get Out of the BuildingTear Up Your Roadmap and Get Out of the Building
Tear Up Your Roadmap and Get Out of the Building
 
Nailing Measurement: a Framework for Measuring Metrics that Matter
Nailing Measurement: a Framework for Measuring Metrics that MatterNailing Measurement: a Framework for Measuring Metrics that Matter
Nailing Measurement: a Framework for Measuring Metrics that Matter
 
Building Apps With Color Blind Users in Mind
Building Apps With Color Blind Users in MindBuilding Apps With Color Blind Users in Mind
Building Apps With Color Blind Users in Mind
 
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
 
Beyond Diversity: A Guide to Building Balanced Teams
Beyond Diversity: A Guide to Building Balanced TeamsBeyond Diversity: A Guide to Building Balanced Teams
Beyond Diversity: A Guide to Building Balanced Teams
 
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed TeamThe Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
 
Building Apps With Enterprise in Mind
Building Apps With Enterprise in MindBuilding Apps With Enterprise in Mind
Building Apps With Enterprise in Mind
 

Dernier

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Dernier (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

AtlasCamp 2014: Building a Connect Add-on With Your Own Stack

  • 1. June 3-5, 2014 | Berlin, Germany
  • 2. Patrick Streule, Architect, Atlassian Build a Connect Add-on with Your Own Stack
  • 3. • Atlassian Connect Express: node.js/express • Atlassian Connect Play: Java/Play • ACE and AC-Play provide: • Authentication handling (both directions) • Lifecycle handling • Persistence ACE/AC-Play vs Your Own
  • 4. • You have an existing service that will host the add-on • Development in your company happens on a different stack • Connect does not prescribe a stack at all ACE/AC-Play vs Your Own
  • 7. Serve descriptor and add-on UI
 ☑ Web server / web framework
 ☑ SSL certificate Handle add-on installation
 ☑ Persistent store Handle add-on requests
 ☑ JWT token handler
 ☑ Crypto library
 ☑ JSON and HttpClient libs Checklist
  • 9. • Description of the Add-On • Where does it show up? • Where are the add-on endpoints? • General Metadata The Descriptor {! "key": "atlas-camp",! "name": "AtlasCamp",! "baseUrl": “https://addon.example.com”,! "authentication": {! "type": "none"! },! "modules": {! "generalPages": [! {! "url": "/intro.html",! "key": "intro-page",! "name": {! "value": "Atlas Camp"! }! }! ]! }! }
  • 10. The Content <!DOCTYPE html>! <html>! <head>! <title>Atlas Camp</title>! <script src=“https://someinstance.jira.com/atlassian-connect/all.js”></script>! ! <style>body { text-align: center; padding-top: 50px; }</style>! </head>! <body>! <div class=“ac-content”>! <a href=“https://www.atlassian.com/atlascamp/2014">! ! <img src=“img/atlas-camp.png"/>! </a>! </div>! </body>! </html>
  • 12. • HTTPS in production, HTTP for development only • Include all.js from the host: The Important Bits var hostBaseUrl = getUrlParameter("xdm_e");! var contextPath = getUrlParameter("cp");! loadScript(hostBaseUrl + contextPath + "/atlassian-connect/all.js");
  • 14. • Authentication type: JWT • Installed Lifecycle hook is required. • Will be called during installation • Other hooks: • Uninstalled, Enabled, Disabled ! Setting it up {! "key": "atlas-camp",! "name": "AtlasCamp",! "baseUrl": “https://addon.example.com”,! "authentication": {! "type": "jwt"! },! "lifecycle": {! "installed": "/installed",! "uninstalled": "/uninstalled"! }! }
  • 15. Installation event • clientKey
 Identifies the tenant • sharedSecret
 The key for signing and verifying JWT tokens • baseUrl
 The host and context path of the product
  • 17. • Authenticity • Parties are who they claim to be • Integrity • The request was not tampered with • Authorization (special case in Connect) • User has access to the pages and issues referenced by URL parameters JWT
  • 18. JWT: Anatomy of a token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiO jE0MDEwODEwMzgsInN1YiI6ImZmODA4MTgxNDBjMDcyOWE wMTQwY2Q0NWE5MWQwMDBkIiwiaXNzIjoiQ29uZmx1ZW5jZ TowNzA3MjM3MjM2IiwicXNoIjoiMjU5YzZkNjU1NjEwYzg yNzE3MDMxNWEwMTM1ZGI0OTAwODYxZjkxYzA5NDdlM2I2N jY2NjgyZTkzMDU1NWFiNCIsImlhdCI6MTQwMTA4MDg1OH0 .iSmtl3ukm8EohrCwO94MF7sXeEFtIRQ-aBggghjlE0E
  • 19. JWT: Anatomy of a token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiO jE0MDEwODEwMzgsInN1YiI6ImZmODA4MTgxNDBjMDcyOWE wMTQwY2Q0NWE5MWQwMDBkIiwiaXNzIjoiQ29uZmx1ZW5jZ TowNzA3MjM3MjM2IiwicXNoIjoiMjU5YzZkNjU1NjEwYzg yNzE3MDMxNWEwMTM1ZGI0OTAwODYxZjkxYzA5NDdlM2I2N jY2NjgyZTkzMDU1NWFiNCIsImlhdCI6MTQwMTA4MDg1OH0 .iSmtl3ukm8EohrCwO94MF7sXeEFtIRQ-aBggghjlE0E Header Payload, Claims Signature
  • 20. JWT: Anatomy of a token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiO jE0MDEwODEwMzgsInN1YiI6ImZmODA4MTgxNDBjMDcyOWE wMTQwY2Q0NWE5MWQwMDBkIiwiaXNzIjoiQ29uZmx1ZW5jZ TowNzA3MjM3MjM2IiwicXNoIjoiMjU5YzZkNjU1NjEwYzg yNzE3MDMxNWEwMTM1ZGI0OTAwODYxZjkxYzA5NDdlM2I2N jY2NjgyZTkzMDU1NWFiNCIsImlhdCI6MTQwMTA4MDg1OH0 .iSmtl3ukm8EohrCwO94MF7sXeEFtIRQ-aBggghjlE0E {"alg":"HS256","typ":"JWT"} {! "exp": 1401081038,! "sub": “ff808…d000d”,! "iss": "Confluence:070789",! "qsh": “259c6…55ab4”,! "iat": 1401080858! } HMAC using SHA-256 Expires at Subject Issuer Query String Hash Issued at BTW: Never rely on this prefix!
  • 21. JWT Verification: Step 1 base64url(sign(‘eyJhbGciOiJIUzI1NiIsInR5cCI6Ik pXVCJ9.eyJleHAiOjE0MDEwODEwMzgsInN1YiI6ImZmODA 4MTgxNDBjMDcyOWEwMTQwY2Q0NWE5MWQwMDBkIiwiaXNzI joiQ29uZmx1ZW5jZTowNzA3MjM3MjM2IiwicXNoIjoiMjU 5YzZkNjU1NjEwYzgyNzE3MDMxNWEwMTM1ZGI0OTAwODYxZ jkxYzA5NDdlM2I2NjY2NjgyZTkzMDU1NWFiNCIsImlhdCI 6MTQwMTA4MDg1OH0’, 
 header.alg, tenants[claims.iss].sharedSecret))! ! == iSmtl3ukm8EohrCwO94MF7sXeEFtIRQ-aBggghjlE0E ?
  • 22. JWT Verification: Step 2 a=5,7&lic=none&page.id=19809&user_id=pstreule {! "baseUrl": “https://addon.example.com/base”,…! } GET /base/render?page.id=19809&a=7&a=5&user_id=pstreule&lic=none&jwt=eY… "qsh": “259c6…55ab4” hex(sha256(‘GET&…’)) remove context path remove ‘jwt’, order keys and values, apply OAuth1 encoding rulesuppercase /renderGET &&
  • 23. • Characters in the unreserved character set MUST NOT be encoded: (ALPHA, DIGIT, "-", ".", "_", "~") • All other characters MUST be encoded • The two hexadecimal characters 
 used to represent encoded characters 
 MUST be uppercase. Pitfalls Raw Encoded SPACE %20 * %2A ! %21 ' %27 ( %28 ) %29
  • 24. • JWT tokens used on incoming and outgoing requests • URL Parameter: jwt=eY… • HTTP header: Authorization: JWT eY… • Find more information • http://go.atlassian.com/ac-docs • http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html JWT Summary
  • 26. • Do not use session cookies • Cookies set by the iframe are third-party cookies • Many browsers don’t accept them by default Pitfalls
  • 27. • How to handle authentication for intra-add-on Ajax calls and links. Your own requests
  • 28. • Create a JWT token for the tenant and user • QSH is optional, depending on the parameter data Reuse JWT {! "exp": 1401081038,! "sub": “ff808…d000d”,! "iss": "Confluence:070789",! "iat": 1401080858! }
  • 30. Quick descriptor deployment curl -i -X HEAD -u admin:admin 
 http://localhost:2990/jira/rest/plugins/1.0/ HTTP/1.1 200 OK! upm-token: 7864481825707347853 curl -i -X POST -u admin:admin ! -H "Content-type: application/vnd.atl.plugins.remote.install+json" 
 -d '{"pluginUri":"http://localhost:3000/atlassian-connect.json"}'! http://localhost:2990/jira/rest/plugins/1.0/?token=7864481825707347853
  • 31. We’re here to help
 http://go.atlassian.com/ac-dev