User Problem

I’m developing a desktop application (in C# / .NET) that needs to use the Jira Cloud REST API on a user's behalf.

I was reading this article about OAuth 2.0 (3LO) which explains how to use Authorization Code grant flow. However, in this article, we're using a Client Secret to exchange the authorization code for an access token.

Since my application is a desktop application, it should be considered as a public (non-confidential) client. All application's binaries and files are copied into local file system. Since they can be easily decompiled and inspected by anyone having an access to file system, desktop applications should not contain any secrets.

Suggestion Solution

Desktop applications should use Authorization Code grant flow with PKCE extension to authorize user and to avoid storing any secrets on user's device.

This request is to ask for the PKCE extension to be added to the Authorization Code grant flow for the Jira Cloud Rest API.

Current Workaround

A possible work-around (less than ideal user experience), is that each of user generates their own client id & secret, stores it in their local environment, and then your app can mediate the authorization code flow using those unique credentials.

Additional Note

Please note that the public suggestion OAUTH20-2491 logged for PKCE explicitly mentions an on-prem Jira version. Atlassian treats bugs separately for Cloud vs Server/DC. As such, I'm logging this new feature request specifically for Cloud.

Also, this request doesn't concern Forge and Connect apps. However, there is no suitable component available. I was forced to select a Forge and Connect component.