Coding evening and Jira API

In the first week of january, we’ve visited our colleagues in Hamburg. And when you’re driving there for some hours (and haven’t been there in a while), I couldn’t of course resist to have a nice coding-session in the evening. For that we decided even to stay a day longer, so we didn’t have to hurry to drive home when the evening got late.
Our self-set todo for that evening was to load tickets via API from a local Jira system.
So one of my colleagues took care of reading into the API and preparing the .NET classes (as well as the handling of the data), while I on the other side tried my luck with the authentication.

My mate was quite successful, in a short amount of time, because the API was documented quite well. You can retrieve boards, sprints and issues (separately and grouped by sprint) just by knowing the correct endpoints. You can find the REST documentation on the atlassian page:
https://docs.atlassian.com/software/jira/docs/api/REST/7.6.1/

But have a look at the version number. As we realized at the end of the evening: Our system was just one version below that one we needed to directly query relations between projects and boards. Patches help 😉

I myself despaired the whole evening while working on the OAuth 1.0 authentication. Actually I did that various times (whereas I have to confess that I’m not that firm in implementing such stuff), but I didn’t get that exact way on this evening.

While all my current implementations used HMAC-Sha-something as signature method, Jira insisted on having an RSA-Sha-something. No problem … i thought … if only my libraries (I tried 2 or 3) wouldn’t have acknowledged my tries to set RSA as method with the message “method not supported”.
Some days later I read into that topic again and found something like this:
https://crypto.stackexchange.com/questions/11293/hmac-sha256-vs-rsa-sha256-which-one-to-use

“While HMAC has to use a shared key between server and client (because it’s symmetric) – RSA uses only the PublicKey to validate (that’s called asymetrisch)”. So only one party has to know the privat key.
Well – ok – sounds valid. But on that evening it was already late and I didn’t get it then anymore.

And because I didn’t want to end that evening without a result, I lateron sat down in the hotel to have a further look. I already read that you could of course use the Jira API with basic authentication instead of OAuth … but there was even more (when not in a hurry to find the solution within a given time) … There is for example a library which calls itself “Atlassian SDK”. You can find it here:
https://bitbucket.org/farmas/atlassian.net-sdk/overview

My mate called it “boring” using a library – but hey – decide for yourself ;). Btw.: That library is written by a guy called “Federico Silva Armas”. LinkedIn tells us, that he’s been working at atlassian (QA engineer) and now works as core-dev on the azure-portal … well … Azure seems to be everywhere 😉