How to use jQuery in Confluence to run a JIRA REST query without hard-coding username/password in plain-text?

Well, if you are using an atlassian gadget within an atlassian gadget container (which confluence provides), then of course your gadget is already authenticated itself, prior to that ajax call (search for "useOAuth" in the gadget's code). I was convinced that you are talking about a standalone javascript on a third party server (because you mentioned jquery instead of AJS) :)

Glad you solved it :) Cheers :)

My apologies, I updated the issue to reflect it after you had started commenting on my question and I had realized my mistake.

I'm not modifying any gadget, nor am I creating my own. I'm creating a User Macro to be used in a Confluence page. Are you saying there's an even easier way to do this than what I've found in my solution (without creating my own proxy)?

Thank you, thank you, thank you! This post should be documented in the official Atlassian documentation. I have used 3 days to find this information.

It should be noted that the "path" should be URL encoded. So take your normal JIRA rest call and run that through a url encoder first. Now it is quite possible that your original rest call might have some stuff that is url encoded as well ... so those portions will end up getting double url encoded.

Also, thanks a ton. This also gets around any CORS issues.

Hello @Davin Studer, did you use the suggested REST call by that date?

"<Confluence URL>/plugins/servlet/applinks/proxy?appId=<UUID>&path=<JIRA URL>/rest/api/latest/issue/ISSUE-123"

I'm trying mine:

https://fxmesas.atlassian.net/plugins/servlet/applinks/proxy?appId=ff0f74d4-21d9-3fe2-a230-9210e221404a&path=https%3A%2F%2F16836ccf.ngrok.io%2Frest%2Fapi%2F1.0%2Fprojects%2FBBTES%2Frepos%2Ftrainers%2Fbranches

and I get 404 -> not found. Did that end point exist for you?

I am trying to leverage one app linked (bitbucket server) to my JIRA to make a rest call to bitbucket public REST API, so something similar to @Phillip Ponzer [Cprime] 's case.

I made the call from a Confluence server. Not sure if the applink proxy exists in Bitbucket or if it does if that is the correct URL.

Did you manage to use this to create a JIRA issue as well?

For me the 'GET' calls are working as you described,

 $.ajax({
 url: '<CONFLUENCE URL>/plugins/servlet/applinks/proxy?appId=<APP_ID>&path=<JIRA_URL_ENCODED>%2Frest%2Fapi%2F2%2Fissue%2FISSUE-123',
 type: 'get',
 contentType: 'application/json',
 success: function (resp) { },
 });

 but the 'POST' requests always fail with HTTP 400 Bad request: "The request sent by the client was syntactically incorrect"

var jiraData = {"fields": {"project": { "key": "PRJ" },"summary": "dummy","description": "test","issuetype": { "name": "Task" }}} 

$.ajax({
 url: '<CONFLUENCE URL>/plugins/servlet/applinks/proxy?appId=<APP_ID>&path=<JIRA_URL_ENCODED>%2Frest%2Fapi%2F2%2Fissue',
 type: 'post',
 contentType: 'application/json',
 data: JSON.stringify( jiraData ),
 success: function (resp) { },
 });

I am thinking that the JSON should be formatted/escaped somehow.. any clue?

I use:  JIRA v7.2.7, Confluence 6.4.3

Did you ever figure out how to get around the POST issue? I am hitting the same when trying to do a POST/PUT.

By "proxy" script do you mean host a "js" file on my JIRA server which holds my credentials and include it in my standalone HTML page?

<script src="<JIRA URL>/credentials.js" type="text/javascript"></script>

No. If you put your credentials into a javascript file and make it downloadable to users, you practically gave them access to your JIRA.

What I meant by "proxy" was to implement java servlet (or server-side php script) page which your javascript code will access (using ajax call usually) and which will contact your JIRA instance (from the web server) and perform the actual authentication and data retrieval and return the data back to your javascript code (through the reply to the ajax request).

Consider the following image:

Your JavaScript code is executed in User's Browser. It contacts your web server (in this image it is labeled as "Page on Your Server"), where you have your java server page (proxy page) which contacts your JIRA server (in this image it is labeled as "Third-Party Web Service").

I hope it is a bit more clear now how can you achieve your privacy, since you keep all the credentials on your web server and not sending it to the user's browser.

Is this the only way? Or can this be done utilizing Confluence's application link to JIRA?

Application Links can be used (I've done it several times), but from one JIRA server to another JIRA server (more precisely, from one Atlassian product server to another Atlassian product server), not from the client browser to the JIRA server.

Your options are:

1) Use proxy

2) Use application links (looks like a proxy, but it's actually the same if not worse, because you access one JIRA/Confluence server to be able to access another JIRA server, so you still need credentials to authenticate to the first of those two servers that your JavaScript will access)

3) Prompt a user to input authentication (login) info and/or use OAuth

4) If your JIRA REST service is public (doesn't require login info) you don't even need to authenticate. Especially if you are writing that REST service, maybe you can make it anonymous/public.

Try reading this article to get more info about your possibilities: JIRA REST API Tutorials