Programmatical Share Access token

Created by

Last updated 13 November 2023, 17:55

To ensure a seamless experience for our customers, we introduce the ability to programmatically auto-login to Password Protected External Share links. This will eliminate the need to manually enter the password and restrict access to the Confluence page exclusively through our system via iFrame to for example create an online user guide. To achieve that, we use JWT (JSON Web Token).

How to Use It?

How to Use It?

1. Obtaining the Unlock Secret

Every share comes equipped with an Unlock Secret, which is essential for creating a share access token.
The Unlock Secret is a hex-encoded string, crafted from 32 randomly assorted bytes.

Accessing the Unlock Secret

Via the user interface:
- Go to the share’s configurations page
- Ensure that the ‘Protect link with password’ option is enabled under the security tab
- Here, you can locate and access the unlock secret
  Unlock secret is a read only value which can be copied, or regenerated.
Via the API:
- The “unlockSecret” field is returned as part of the response payload when invoking the GET method on the endpoint:
  GET https://confluence.external-share.com/webapi/share/{SHARE_UUID}
  This is detailed in our API documentation: https://docs.warsawdynamics.com/content/37018/external_share_for_confluence_documentation/115671152/115671872#API-GETOPERATION

2. Creating JWT

Once you have obtained the Unlock Secret, you can proceed to create a JWT to access shares without manually entering a password.

JWT stands for JSON Web Token. It's a compact and self-contained string that represents information between two parties. The token is composed of a header, a payload, and a signature. It's commonly used for authentication and secure data exchange.

JWT can be created in a programming language or using a website like:
https://dinochiesa.github.io/jwt/

JWT unlocking share: Required components

Standard header:
```
{
  "alg": "HS256",
  "typ": "JWT"
}
```

Payload:

{
  "iss": "a8b63c1d-3a37-428b-c807-2ffeabbaa647", // UUID of the share
  "nbf": 1698133085, // Token valid from (Unix time in seconds)
  "exp": 1698133175  // Token expiration (Unix time in seconds)
}

Unix time, also known as Epoch time, is a system for tracking time that counts the seconds that have passed since January 1, 1970, at 00:00:00 Coordinated Universal Time (UTC).

It's like a big stopwatch that started on January 1, 1970, and has been ticking every second since. This single number is easy for computers to read and work with.
https://www.unixtimestamp.com

Requirement:
The token’s expiration time must be within 90 seconds of its start validity time: exp - nbf <= 90

Signature:
The Unlock Secret value, converted to bytes. In UI and API it is presented in hex format.
For instance, when using a linked JWT creator website, select ‘Key encoding: HEX’ for this conversion.

Example of creating JWT using linked website:
With Java example of creating nbf and exp.

After filling data you have to click left arrow to generate JWT.

3. Using JWT Share Access token

Now, as you already have the JWT token, for a password-protected link, append ?unlock parameter to the URL as follows:

https://confluence.external-share.com/content/{UUID}?unlock={jwt}

On successful JWT validation, we are adding the same cookie as the page would have been accessed using password, so no need for using unlock token with every page visit.

To make password-protected pages work in iframe, you need to change SameSite Cookie restriction from "Lax" to "None" which is located in External Share for Confluence:
Global Settings → Other → SameSite Cookie restriction

To enable External Share functionality within an iframe hosted on a website outside of atlassian.com, external-share.com or your External Share for Confluence custom domain, you must add a URL under:
Global Settings → Other → Custom content security policy