Application link & OAuth1.0a
What is an application link?
The application link is the technical requirement to connect an external application to Jira with OAuth 1.0a.
Application links are authentication providers to allow Jira users to login to Jira with our apps. It is conceptually very similar to Enterprise apps in the Microsoft Azure tenant. The existence of an application link does not grant access to your Jira instance, it just allows users to grant consent.
This way your user and your data stay safe. You might have noticed: when using Confluence (or any other Atlassian product) next to Jira, it is also connected with an application link.
Benefits of using an application link
TL;DR: We do not get in touch with your user’s passwords and only get an revokable access token.
Application links / OAuth1a allows to impersonate user actions, without storing the users password. As the same password might be used elsewhere, using OAuth flows is common practice. Using the application link with OAuth1a, we get a separate token from Jira for each user that is using the app. And every request is signed with a one-time token making replay attacks by a man-in-the-middle impossible.
Secondly, it is a well-known Jira standard technology and it works with most SSO solutions.
And lastly, you can always delete the application link (= close the door) and all access tokens are invoked. This gives you full control.
When is the application link used?
JIRA CLOUD For Jira Cloud, the application link is only used to connect the Outlook addin with Jira. All other features are using OAuth 2.
JIRA SERVER For Jira Server, the application link with OAuth1.0a is the only authentication method available. So every request made to the instance is using this application link. This is for the Outlook app, the Teams app as well as the Jira UI. This means, every user is required to sign in with OAuth1.0a when using the app.
Where are the OAuth1.0a tokens stored?
For the Outlook addin, the token is stored within the mailbox of the corresponding user.
For other apps, the token is securely and encrypted stored on yasoon server to have access on behalf of the user.
Incoming authentication
One special thing about the application link created for Outlook Email for Jira: it is only an incoming link.
Usually an application link has an outgoing and incoming part, which makes a lot of sense when you want to connect another application like Confluence.
In the case of Outlook Email for Jira, it only needs one direction: Read and write data from Outlook to Jira. At no time, Outlook Email for Jira sends data to external servers automatically or any external service gets access to your Jira system.
Troubleshooting
Issues in upgrade report
SERVER ONLY
The latest Jira upgrades come with an dedicated upgrade report. They run a kind of health check after the upgrade to see if everything has worked correctly.
Most of the time, the application link for Outlook Email for Jira will raise a warning. You can safely ignore it.
It recognizes that the URL for the application link is not a valid one. This is intended as the application link is only inbound and used by all Outlook clients to connect to Jira. Where should the URL point to?
Warnings in the log files
SERVER ONLY
Some customers reports some warnings in the log files like this:
Registering failure for stream provider <Application Link Name> due to error other
This is also caused by the incoming-only application link.
Again, you can safely ignore them.