Configure OAuth 2.0 to enable SCIM authentication
OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 credentials allows applications to access resources like Jira on behalf of a service account securely and with permission, without using passwords.Understand service accountsto learn more.
Set up the SCIM authentication in order to use public-facing SCIM APIs.
Set up SCIM authentication
To set up SCIM authentication, you first need to set up a service account and configure OAuth 2.0.
Step 1: Create a service account and OAuth 2.0 credentials
You need to be an Atlassian org admin to perform this step.
サービス アカウントを作成するには次の手順を実行します。
Go to Atlassian Administration. Select your organization if you have more than one.
[ディレクトリ] > [サービス アカウント] の順に選択します。
Enter a name and optionally a description for the service account, then select Next.
Select User Access Admin role for one of the apps.
[作成] を選択します。
Continue from here to create your OAuth credentials:
[認証情報の作成] を選択します。
Select Oauth 2.0, then select Next.
Enter a name for your OAuth 2.0 credentials, then select Next.
Under Select scopes, filter by App: Atlassian.
Select the Atlassian app with scope name read:account. This is a temporary placeholder scope until we provide manage:directory scope.
Review and select Create.
Copy and save the Client ID from the created OAuth credentials, then select Done.
Step 2: Create a SCIM directory in Atlassian administration
You need to be an Atlassian org admin to perform this step.
To create a SCIM directory:
Go to Atlassian Administration. Select your organization if you have more than one.
Go to Security > User security > Identity providers.
Choose Other provider.
Add the directory name apple_directory, then select Add.
Select Set up user provisioning.
Copy SCIM Base URL and select Next.
Select Stop and save SCIM configuration.
Steps 3: Provision an OAuth 2.0 client and create a grant
We provision the OAuth client for you, then we create a grant (role assignment) for you. Contact your Enterprise account representative, and provide us with the following information:
From the previous steps:
Service account ID
OAuth Client ID
ディレクトリ ID
From Apple:
Public key or JWKS URL (https://appleid.apple.com/auth/keys) with a
kid.
We’ll let you know when we complete this step.
Use public-facing SCIM APIs
To use public-facing SCIM APIs, you first need to generate an access token. Generate an internal token signed with a private key, and exchange it with a short-lived Atlassian access token.
Step 1: Exchange internal token with Atlassian access token
Generate a "
client_assertion" token:{ "header" : { "alg" : "RS256", "kid" : "${configured_key_id}" }, "payload" : { "exp" : 1765575427, // This would conventionally be set to https://auth.atlasssian.com, // but will be different for Oasis "aud" : "${OASIS_AUTH_SERVER_CNAME}", "iss" : "${client_id}", "sub" : "${client_id}" }, "signature" : "..." }Execute
client_credentialsgrant flow:POST /oauth/token host: ${OASIS_AUTH_SERVER_CNAME} content-type: application/json { "client_id": ${client_id}, "grant_type": "client_credentials", "scope": "manage:directory", "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "client_assertion": ${SIGNED_JWT} }Receive access token:
HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Content-Length: 1687 Connection: close { "access_token": "$ACCESS_TOKEN", "expires_in": 3600, "token_type": "Bearer", "scope": "manage:directory" }
Step 2: Call public-facing SCIM APIs
Using the access_token generated in previous step for authentication, call the Create a user API to create a user.
この内容はお役に立ちましたか?