feat(WD-36985): Jira oauth2.0 service account integration#327
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR migrates the webapp’s Jira integration from user-based basic auth (email + API token) to an OAuth 2.0 client-credentials (“service account”) flow, aligning the integration with a dedicated service account approach and updating configuration/CI accordingly.
Changes:
- Replace Jira basic-auth configuration with
JIRA_CLIENT_ID/JIRA_CLIENT_SECRET. - Update Jira client implementation to obtain and cache OAuth access tokens and route API calls via Atlassian’s
api.atlassian.com/ex/jira/{cloudId}base. - Update documentation, charm config schema, and GitHub Actions workflows to use the new Jira credentials.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
webapp/settings.py |
Swaps Jira config keys from email/token to OAuth client ID/secret. |
webapp/jira.py |
Implements OAuth2 client-credentials token flow, cloud-id discovery, and Redis-backed token caching. |
README.md |
Updates local env var examples to the new Jira OAuth credentials. |
charm/charmcraft.yaml |
Updates charm config options to accept Jira client ID/secret. |
.github/workflows/playwright.yml |
Updates Playwright workflow env vars/secrets for Jira OAuth credentials (and job permissions). |
.github/workflows/CI.yml |
Updates CI workflow env vars for Jira OAuth credentials. |
.env |
Updates example env file to use Jira OAuth client ID/secret. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Onibenjo
reviewed
Jun 5, 2026
Onibenjo
reviewed
Jun 5, 2026
Onibenjo
reviewed
Jun 5, 2026
Contributor
Onibenjo
left a comment
Onibenjo
left a comment
There was a problem hiding this comment.
LGTM. Thanks for the update
Contributor
Author
|
@Onibenjo Thank you for the review, can you please take another look? |
Contributor
|
Code +1 I'm trying to get the server up locally |
Onibenjo
approved these changes
Jun 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Previously, Jira integration relied on user accounts with basic auth (email + token).
This worked fine, but since it was dependent on user accounts, if a user's token expired or if the user account was deactivated, that resulted in integration failure.
We have now moved towards using a dedicated Jira Service Account, which follows an oauth2.0 strategy. The docs can be found here
Done
QA
QA steps
cs.canonical.com Jira service account, place them in your .env.localtaskdocker container logs cscanonicalcom-web-1Fixes