Skip to end of metadata
Go to start of metadata

Table of Contents

Registering an OAuth 2.0 Client at Atlassian Jira Cloud Platform (Server Side)

This article covers the OAuth 2.0 configuration required at Jira Cloud Platform. Jira Server is not covered.

The following documentation gives an overview about the Jira API: https://developer.atlassian.com/cloud/jira/platform/rest/v3/. To get your SAP system connected to Jira, you will have to build a Jira Cloud application for which the implementation is done on SAP side, see https://developer.atlassian.com/cloud/jira/platform/integrating-with-jira-cloud/.

Create a Jira Cloud Application

You can manage Jira Cloud applications following this link: https://developer.atlassian.com/apps/. Here you need to create a new app, for which you will get a Client ID and a Secret - note down this data for later use during configuration on ABAP client side. Under Apps and Features, add the feature "OAuth 2.0 (3LO)" and the API "Jira platform REST API".

Configuration for the Feature "OAuth 2.0 (3LO)"

Use this configuration to setup an allowed callback URL. Here you maintain the redirect URL as determined on ABAP client side in section Create an OAuth 2.0 Client configuration

Configuration for the API "Jira Platform REST API"

You can configure the REST API to define which scopes are relevant for your process. Typical use cases have the scopes "View Jira issue data(read:jira-work)", "View user profiles(read:jira-user)", "Create and manage issues(write:jira-work)", "Manage development and release information for third parties in Jira.(manage:jira-data-provider)". The relevant scope needs to be maintained on ABAP client side, too, see section Create an OAuth 2.0 Client Profile.

Configuring an OAuth 2.0 Client in the AS ABAP (the client side)

In this chapter development, system administration and end users tasks are described that are required to access the JIRA Cloud Rest API using the OAuth 2.0 Client.

 

Development Tasks

In this section a few development activities are described that are required to adjust the OAuth 2.0 Client to Jira’s OAuth 2.0 implementation.

  • A new Service Provider Type “ZJIRA” will be defined.
  • A BAdI implementation will be created to declare endpoint settings, supported grant types and do some parameter adjustments required by Jira Cloud Platform.
  • An OAuth 2.0 Client Profile will be created to store the scopes required by Jira Cloud Platform for accessing the Jira API.
  • Finally a short ABAP program will be written, that demonstrates how to call the Jira API using the OAuth 2.0 Client and the HTTP Client APIs.

Define a Service Provider Type for Jira

TaskDescription
Call Transaction OA2C_TYPES

The system will display an overview of the existing OAuth 2.0 Client Service Provider Types.

Create a New Entry

Switch to change mode and choose New entries.

Save the Entry ZJIRA

Enter a new service provider type ZJIRA and save your change.

Create a BAdI Implementation for the New Service Provider Type

To implement the BAdI firstly a class needs to be implemented and secondly the actual BAdI implementation object needs to be created.

Implement the Class
TaskDescription

Implement the Class ZCL_OA2C_SPECIFICS_JIRA

Firstly a class needs to be implemented that is required to adjust the OAuth 2.0 Client to the Jira specific OAuth 2.0 implementation.
Create the Class in Transaction SE24

Use the name “ZCL_OA2C_SPECIFICS_JIRA” for the new class and press create.

Enter Class Settings

Choose the depicted settings for the new class and press Save. Choose local object on the following popup (or save the class on a transport request if you would like to transport your scenario).

Set the Superclass

Press the button „Superclass“ on the properties tab in transaction SE24 and enter the class “CL_OA2C_SPECIFICS_ABSTRACT“. This class contains the standard settings for the OAuth 2.0 protocol implementation. Save your changes.

Redefine the Endpoint Ssettings

Switch to the methods tab, mark the method „IF_OA2C_SPECIFICS~GET_ENDPOINT_SETTINGS“ and press the button “Redefine”.

Insert the Method Code

Replace the method implementation with the following code:

  "************************************************************************************
  " We provide proposals but remain changeable (in case of future changes on JIRA side)
  e_changeable = abap_true.

  e_token_endpoint_path = 'auth.atlassian.com/oauth/token'.
  e_authorization_endpoint_path = 'auth.atlassian.com/authorize?audience=api.atlassian.com'.
  clear e_revocation_endpoint_path.
  "************************************************************************************
Redefine the Supported Grant Types

In the next step mark the method “IF_OA2C_SPECIFICS~GET_SUPPORTED_GRANT_TYPES” and press the button “Redefine”.

Insert the Method Code

Replace the method implementation with the following code:

  "*************************************
  e_authorization_code abap_true.
 e_saml20_assertion   abap_false.
  e_refresh            abap_true.
  e_revocation         abap_false.
  "*************************************
Finally Activate the ClassActivate the class ZCL_OA2C_SPECIFICS_JIRA.
Implement the Enhancement Spot
TaskDescription
Implement the Enhancement SpotIn this section is described how an enhancement spot for the new service provider type “ZJIRA” and the class “ZCL_OA2C_SPECIFICS_JIRA” is implemented.
Create the Enhancement Spot Implementation

Start transaction SE80 and choose the package “SOAUTH2_CLIENT_EXTENSIONS”. Next choose the enhancement spot “OA2C_SPECIFICS” and in the context menu choose “Implement”.

Enter Name and Description

Enter the name “Z_OA2C_SPECIFICS_JIRA” and the description "OAuth 2.0 Client Specifics for Jira Cloud Edition" for the new enhancement spot implementation.

Create a Filter

Confirm the following popups. On the popup „Create BAdI Implementation“ choose the BAdI definition „OA2C_SPECIFICS_BADI_DEF“, enter the implementation class „ZCL_OA2C_SPECIFICS_JIRA“ (that was created in the last section) and define the BADI Implementation „Z_OA2C_SPECIFICS_JIRA“. Then press “Continue”.

Change the Filter Value

On the following screen expand the BAdI implementation “Z_OA2C_SPECIFICS_JIRA” and doubleclick the node “Filter Val.” Then press “Create Filter Combination”.

Change the Filter Value

Then mark the new filter combination and press „Change Filter Value“ and enter “ZJIRA” in the field Value 1 on the following popup. Press Continue and then activate the enhancement implementation.

Create an OAuth 2.0 Client Profile

TaskDescription
OAuth 2.0 Client Profiles

Create a new OAuth 2.0 Client Profile to connect your ABAP program with a certain OAuth 2.0 Client. An OAuth 2.0 Client Profile contains all scopes that are required on the server side (i.e. in this example for the Jira user profile). In this example the client needs multiple OAuth 2.0 scopes:

read:jira-work, read:jira-user, write:jira-work, manage:jira-data-provider

Create the OAuth 2.0 Client Profile

In SAP GUI, start the Repository Browser with transaction SE80. Switch to your local objects and in the context menu of the root node “$TMP …” choose Create => More…=> OAuth 2.0 Client Profile.

Set Profile Type and Name

On the following popup choose the OAuth 2.0 client profile type “ZJIRA” and enter the name “ZJIRA”.

Namespace and Transport Settings

On the next popups confirm that the OAuth 2.0 Client Profile should be created in customer namespace and as local object (package assignment “$TMP”).
Assign OAuth 2.0 Scopes

Then assign the OAuth 2.0 scopes to the OAuth 2.0 Client Profile, which are required on server side (Jira Cloud) to access the resources protected with OAuth 2.0. In this example the scopes "write:jira-work", "read:jira-user", "manage:jira-configuration", and "read:jira-work" are required. Save the OAuth 2.0 Client Profile.

OAuth 2.0 Client Profile completed

As a result you can use this OAuth 2.0 Client Profile “ZJIRA” to link programs in the AS ABAP with your Jira OAuth 2.0 Client.

 

Create an ABAP Program that Uses the New OAuth 2.0 Client

In the next step, start transaction SE38 from SAP GUI and create a small ABAP program “ZJIRAPROFILE” that calls a JiraAPI and displays an overview about the existing Jira projects. The following listing shows this program.

 *&---------------------------------------------------------------------*
*& Report ZJIRAPROFILE
*&---------------------------------------------------------------------*
*&
*&---------------------------------------------------------------------*
REPORT zjiraprofile LINE-SIZE 1023.

DATAgv_profile    TYPE oa2c_profile VALUE 'ZJIRA',
      gv_server     TYPE string VALUE 'https://api.atlassian.com/ex/jira/',
      gv_target     TYPE string VALUE '/rest/api/3/project/search',
      gv_cloudid    TYPE string,
      gv_param_kind TYPE string VALUE 'H',
      gv_rsrc_uri   TYPE string VALUE 'https://api.atlassian.com/oauth/token/accessible-resources'.

START-OF-SELECTION.


  DATAlo_http_client   TYPE REF TO if_http_client,
        lo_oa2c_client   TYPE REF TO if_oauth2_client,
        lv_status_code   TYPE i,
        lv_response_data TYPE string,
        lv_dummy         TYPE string,
        lt_fields        TYPE tihttpnvp,
        lx_oa2c          TYPE REF TO cx_oa2c.

**********************************************************************
* Create HTTP client
**********************************************************************
  CALL METHOD cl_http_client=>create_by_url
    EXPORTING
      url                gv_rsrc_uri
    IMPORTING
      client             lo_http_client
    EXCEPTIONS
      argument_not_found 1
      plugin_not_active  2
      internal_error     3
      OTHERS             4.
  IF sy-subrc <> 0.
    MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
               WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
  ENDIF.

* Turn off logon popup. Detect authentication errors.
  lo_http_client->propertytype_logon_popup 0.
  lo_http_client->request->set_methodif_http_request=>co_request_method_get ).

*********************************************************************
** Set OAuth 2.0 Token
*********************************************************************
  TRY.

      lo_oa2c_client cl_oauth2_client=>creategv_profile ).

    CATCH cx_oa2c INTO lx_oa2c.
      WRITE'Error calling CREATE.'.
      WRITE/ lx_oa2c->get_text).
      RETURN.
  ENDTRY.

  TRY.
      lo_oa2c_client->set_token(
        EXPORTING
          io_http_client lo_http_client
          i_param_kind   gv_param_kind ).

    CATCH cx_oa2c INTO lx_oa2c.
      WRITE'Error calling SET_TOKEN.'.
      WRITE/ lx_oa2c->get_text).
      RETURN.
  ENDTRY.

**********************************************************************
* Send / receive request to get the Jira cloud ID
**********************************************************************
  lo_http_client->request->set_header_field(
    EXPORTING
      name  'Accept'
      value 'application/json' ).
  lo_http_client->request->set_header_field(
    EXPORTING
      name  if_http_header_fields_sap=>request_uri
      value gv_rsrc_uri ).

  lo_http_client->send).
  lo_http_client->receiveEXCEPTIONS http_communication_failure ).

  lo_http_client->response->get_statusIMPORTING code lv_status_code ).
  WRITE'Retrurn code for CloudID determination:'lv_status_code.
  WRITE /.

  IF lv_status_code 200.
    "retrieve cloud ID corresponding to access token
    lv_response_data lo_http_client->response->get_cdata).
    SPLIT lv_response_data AT '"id":"' INTO lv_dummy gv_cloudid.
    SPLIT gv_cloudid AT '",' INTO gv_cloudid lv_dummy.

    WRITE'Cloud ID:'gv_cloudid.
    WRITE /.

  ELSE.
    " List url header fields
    lo_http_client->request->get_header_fieldsCHANGING fields lt_fields ).
    LOOP AT lt_fields ASSIGNING FIELD-SYMBOL(<ls_field>).
      WRITE/ <ls_field>-name25 <ls_field>-value.
    ENDLOOP.
    EXIT.
  ENDIF.

**********************************************************************
* Send / receive request to get all Jira projects
**********************************************************************
  CONCATENATE gv_server gv_cloudid gv_target INTO gv_target.
  TRANSLATE gv_target TO LOWER CASE.

  lo_http_client->request->set_header_field(
    EXPORTING
      name  if_http_header_fields_sap=>request_uri
      value gv_target ).
  lo_http_client->send).
  lo_http_client->receiveEXCEPTIONS http_communication_failure ).

  lo_http_client->response->get_statusIMPORTING code lv_status_code ).
  WRITE'API call status code:'lv_status_code.
  WRITE /.

**********************************************************************
* Display result
**********************************************************************
  IF lv_status_code 200.
    " Output of result
    lv_response_data lo_http_client->response->get_cdata).
    DATA(l_content_typelo_http_client->response->get_content_type).
    IF l_content_type CP `text/html*`.
      cl_demo_output=>display_htmlhtml lv_response_data ).
    ELSEIF l_content_type CP `text/xml*`.
      cl_demo_output=>display_xmlxml lv_response_data ).
    ELSEIF l_content_type CP `application/json*` OR
           l_content_type CP `text/javascript*`.
      cl_demo_output=>display_jsonjson lv_response_data ).
    ENDIF.
  ELSE.
    " List http call header fields for analysis
    lo_http_client->request->get_header_fieldsCHANGING fields lt_fields ).

    LOOP AT lt_fields ASSIGNING <ls_field>.
      WRITE/ <ls_field>-name25 <ls_field>-value.
    ENDLOOP.
  ENDIF.

**********************************************************************
* Close
**********************************************************************
  CALL METHOD lo_http_client->close
    EXCEPTIONS
      http_invalid_state 1
      OTHERS             2.
  IF sy-subrc <> 0.
    MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
               WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
  ENDIF.

System Administration Tasks

As a prerequisite, the administrator needs authorizations to create OAuth 2.0 Client Configurations. Make sure that the administrator has the authorization S_OA2C_ADM with at least the activities 01, 02 and 03 in the AS ABAP system.

Create an OAuth 2.0 Client Configuration

 

TaskDescription

 

Start OAuth 2.0 Client Configuration

From the SAP GUI start the transaction OA2C_CONFIG. This will open the OAuth 2.0 Client Configuration in a web browser. Alternatively you can call the URL

https://<yourhost>:<yourhttpsport>/sap/bc/webdynpro/sap/oa2c_cconfig?sap-language=EN&sap-client=<yourclient>

in a browser.

Create a New OAuth 2.0 Client

In the OAuth 2.0 Client Configuration Application choose Create new OAuth 2.0 Client.

Choose OAuth 2.0 Client Profile and Client ID

 

On the following popup choose the newly created OAuth 2.0 Client Profile “ZJIRA” and enter the Client ID of your OAuth 2.0 Client received during Jira Cloud application creation, see section Registering an OAuth 2.0 Client at Atlassian Jira Cloud platform (the server side).

Configure the Redirection URI at Server Side (JIRA Cloud)

Configure the Target Endpoint

On the following screen copy the redirection URI and paste it in the field Redirect URI of the server side configuration of your OAuth 2.0 Client. (This makes your OAuth 2.0 Client known to Jira's OAuth 2.0 Authorization Server.) See section Registering an OAuth 2.0 Client at Atlassian Jira Cloud platform (the server side) for details.

In the field “Target Endpoint” you can enter an endpoint on your AS ABAP to which the end user’s browser should be redirected after completing the authorization code flow. In this scenario the default target endpoint is used, i.e. the grant application / transaction OA2C_GRANT (see section "Request OAuth 2.0 Tokens" for details).

 

Configure OAuth 2.0 Client Secret

Next enter the client secret that you received during registration of the client at the Facebook’s authorization server and press Enter to confirm your input. This field corresponds to the “Client Secret” received during Jira Cloud application creation, see section Registering an OAuth 2.0 Client at Atlassian Jira Cloud platform (the server side).

 

Verify the OAuth 2.0 Client Scope Assignment

Then finally verify that on the scopes tab of your OAuth 2.0 Client Configuration the profile “ZJIRA” is displayed in the Profile table. In the Scope table there should be all scopes displayed that have been maintained in section Create an OAuth 2.0 Client Profile.

SaveFinally save the OAuth 2.0 Client configuration

Assign End User Authorizations

Make sure that the end users who should be allowed to use the OAuth 2.0 Client have the required authorizations assigned. During execution of OAuth 2.0 flows there is a check of the authorization object “S_OA2C_USE”. This authorization object has two fields “PROFILE” and “ACTVT”. Set the authorization field values as follows:

  • S_OA2C_USE
    • PROFILE       = ZJIRA
    • ACTVT           = 16

Having this authorization assigned is a prerequisite that an end user can initiate an OAuth 2.0 Token Request and access his Facebook User Profile from a program in the AS ABAP system.

Configure Proxy Settings

If required, a description can be found in the article " Configure proxy settings ".

Configure SSL Settings

TaskDescription
Export SSL Certificate of JiraTo export Jira’s SSL certificate, navigate to your JIRA Cloud instance in a browser window, display the website identification, show the certificate and export it to a file.
Navigate to Your Web Application in a Browser Window

Navigate to your Jira Cloud site and get the site's certificate information - for example, in Chrome using right click on the lock icon next to the url. In the context menu, choose the entry "Certificate (Valid)".

Get Certificate Issuer Information

 

On the certificate pop-up, select "Certification Path. Select the DigiCert SHA2 HIGH Assurance Server CA entry and chose "View Certificate".

Download Issuer Certificate

In the issuer certificate, navigate to the details tab and chose "Copy to file...". Follow the instructions of the Certificate Export Wizard to save the issuer certificate on your file system.

Import the SSL Certificate in the AS ABAP

Start transaction STRUST in SAP GUI and switch to change mode. Choose PSE “SSL Client Anonymous”. In the frame “Certificate” choose button “Import certificate” and import the saved certificate file. Then choose button “Add to Certificate List” and save the PSE.

After that the AS ABAP will trust SSL servers whose identity is confirmed by this certificate.

Request OAuth 2.0 Tokens

An end user first needs to execute an initial OAuth 2.0 Token Request. The server will then issue an Access Token and a Refresh Token.

After this initial OAuth 2.0 Token Request the end user doesn’t need to interactively request OAuth 2.0 Tokens again. Instead the AS ABAP can use the refresh token to get a new set of tokens when the access token has expired.

There are two possibilities to initiate the authorization code flow as described in the article "The OAuth 2.0 authorization code grant type". These are described step-by-step in sections "Use transaction OA2C_GRANT" and "Call the grant endpoint".

Use Transaction OA2C_GRANT

Task
Description
Start Transaction OA2C_GRANT

In the SAP GUI start transaction OA2C_GRANT. This will start a browser application, which allows triggering the initial access token request. Alternatively, you can start the application directly in the browser:

https://<yourhost>:<yourhttpsport>/sap/bc/webdynpro/sap/OA2C_GRANT_APP

Mark Your Jira OAuth 2.0 Client

Mark your Jira OAuth 2.0 Client, which was configured in the previous chapters. (If you cannot see a client with your registered Jira Client ID, there is an authorization error. See section "Assign end user authorizations" then.) As there is no token yet, the status “Access not allowed” is displayed.

Request OAuth 2.0 Tokens

Next press the button “Request OAuth 2.0 Tokens”. This will start the OAuth 2.0 Authorization Code flow.

Redirection to the Jira Authorization Endpoint

The AS ABAP will then redirect the end user’s browser to Jira’s authorization endpoint. The end user has to authenticate with his Jira Account and will then see the consent screen to grant the requested scope to the AS ABAP.

Redirection Back to the Grant Application

After the enduser gave their consent and authorized the clients request for the scope , their browser is redirected back to the AS ABAP and the OAuth 2.0 Authorization Code flow is completed. After that the AS ABAP has an Access Token and a Refresh Token for the end user currently logged in. In the grant application the status “Access possible” with infinite expiry time is displayed.

Call the Grant Endpoint

TaskDescription
Call the Grant Endpoint From Your Web Application

You can trigger the authorization grant flow by directly calling a url on your AS ABAP with format "https://<your.app.server>:<port>//sap/bc/sec/oauth2/client/grant/authorization?profile=ZJIRA".

The AS ABAP system will first authenticate the user and then derive the OAuth 2.0 client from the given profile. It will then construct the authorization request URL and redirect the user’s browser to the authorization server’s authorization endpoint.

Redirection to the Jira Authorization Endpoint

The AS ABAP will then redirect the end user’s browser to Jira’s authorization endpoint. The end user has to authenticate with his Jira Account and will then see the consent screen to grant the requested scope to the AS ABAP.

Redirection Back to the Grant Application

After the enduser gave their consent and authorized the clients request for the scope , their browser is redirected back to the AS ABAP and the OAuth 2.0 Authorization Code flow is completed. After that the AS ABAP has an Access Token and a Refresh Token for the end user currently logged in. In the grant application the status “Access possible” is displayed.

 

Use OAuth 2.0 Tokens

Task
Description
Test the ScenarioUse the test report ZJIRAKPROFILE to test the OAuth 2.0 protected access of the AS ABAP to JIRA Cloud platform.
Start Transaction SE38

Start transaction SE38 to execute the test report ZJIRAPROFILE. This report will use the OAuth 2.0 Client API to set the access token in the HTTP client.

Execute the Report ZJIRAPROFILE

 

When an access token is available the report retrieve a list of all Jira projects on the system the current user is entitled to see. The result is displayed on the AS ABAP.

 

Troubleshooting

If required, a description can be found in the article " Troubleshooting ".

 

 

 

  • No labels