The documentation for GitLab for Jira Cloud app says
The GitLab.com user only needs access when adding a new namespace. For syncing with Jira, we do not depend on the user’s token.
And when you sign-in, you are asked to authorize access to the GitLab API.
I can guess it configures something in GitLab.com, but what authorizes GitLab.com to push updates in Jira? or Does the Jira Cloud always pull from GitLab.com? If GitLab.com doesn’t depend on a user’s token, what does it depend on?
Perhaps it’s the same as the self-managed GitLab:
Access to GitLab through OAuth [
ALL TIERS
SELF-MANAGED
](Pricing | GitLab)GitLab does not share an access token with Jira. However, users must authenticate through OAuth to configure the app.
An access token is retrieved through a PKCE OAuth flow and stored only on the client side. The app frontend that initializes the OAuth flow is a JavaScript application that’s loaded from GitLab through an iframe on Jira.
The OAuth application must have the
apiscope, which grants complete read and write access to the API. This access includes all groups and projects, the container registry, and the package registry. However, the GitLab for Jira Cloud app only uses this access to:
- Display namespaces to be linked.
- Link namespaces.
Access through OAuth is only needed for the time a user configures the GitLab for Jira Cloud app. For more information, see Access token expiration.
Access to Jira through access token
Jira shares an access token with GitLab to authenticate and authorize data pushes to Jira. As part of the app installation process, Jira sends a handshake request to GitLab containing the access token. The handshake is signed with an asymmetric JWT, and the access token is stored encrypted with
AES256-GCMon GitLab.