What Is a JWT and Why Am I looking At It?

ScriptRunner Behaviours are amendments or changes to custom fields, implemented by installing a free app on top of ScriptRunner (which is definitely NOT free).   The app allows for modifying the way in which some fields work.  Simple enough.

All behaviors for all app users are stored on an Adaptavist-run server, https://us.hydrogen.sagittarius.connect.product.adaptavist.com/sr-dispatcher/jira/admin/secure/behaviours.  Different servers likely exist for different regions, but the approach is the same.

What do we notice about this URL?  There’s no identifying value in it.  Nothing to specify which Cloud instance’s behaviours should be returned.   So how does the Adaptavist server know which behaviours to return?  It uses a JSON Web Token. A JSON web token (JWT) is kind of like a cookie, but it contains a lot more information.

When a call is made to retrieve the behaviors, Jira sends a JWT to the Adaptavist server, and the Adaptavist server uses the contents of the JWT to decide which behaviors to return.

JWTs are interesting because they’re stateless.  Instead of the server saving information about the session, and comparing it against a cookie, the JWT contains all relevant information.   So long as the server that receives the JWT has the correct private key to decrypt the token, it can parse the token and return the proper values.  This is advantageous for a number of reasons, not the least of which is that the JWT can go to any server with the correct private key. The session isn’t tied to a specific server that has transitory session information.

The Atlassian Cloud platform uses JWTs in a number of places, including when interacting with https://id.atlassian.com.  They tend to show up in places where Atlassian doesn’t expect or what you to be poking around or automating processes.

Unrelated, here’s some previous work I did on interacting with https://admin.atlassian.com