Authorization and flow for GitLab for Jira Cloud app

The documentation for GitLab for Jira Cloud app says

The user only needs access when adding a new namespace. For syncing with Jira, we do not depend on the user’s token.

And when you sign-in, you are asked to authorize access to the GitLab API.

I can guess it configures something in, but what authorizes to push updates in Jira? or Does the Jira Cloud always pull from If doesn’t depend on a user’s token, what does it depend on?

Perhaps it’s the same as the self-managed GitLab:

Access to GitLab through OAuth [

](Pricing | GitLab)

GitLab does not share an access token with Jira. However, users must authenticate through OAuth to configure the app.

An access token is retrieved through a PKCE OAuth flow and stored only on the client side. The app frontend that initializes the OAuth flow is a JavaScript application that’s loaded from GitLab through an iframe on Jira.

The OAuth application must have the api scope, which grants complete read and write access to the API. This access includes all groups and projects, the container registry, and the package registry. However, the GitLab for Jira Cloud app only uses this access to:

  • Display namespaces to be linked.
  • Link namespaces.

Access through OAuth is only needed for the time a user configures the GitLab for Jira Cloud app. For more information, see Access token expiration.

Access to Jira through access token

Jira shares an access token with GitLab to authenticate and authorize data pushes to Jira. As part of the app installation process, Jira sends a handshake request to GitLab containing the access token. The handshake is signed with an asymmetric JWT, and the access token is stored encrypted with AES256-GCM on GitLab.