Skip to content

fix: support BYOT OAuth mode without requiring service URLs #699

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nealedj wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: support BYOT OAuth mode without requiring service URLs #699

nealedj wants to merge 2 commits into from

Conversation

@nealedj
Copy link

@nealedj nealedj commented Sep 17, 2025

Description

Fixes: #698

Changes

  • Allow missing CONFLUENCE_URL/JIRA_URL when ATLASSIAN_OAUTH_ENABLE is set
  • Mark services as available in environment detection for BYOT mode
  • Preserve original is_cloud behavior based on oauth_config.cloud_id presence

Testing

  • Unit tests added/updated
  • Integration tests passed
  • Manual checks performed: Tested using my integration from Librechat.

Checklist

  • Code follows project style guidelines (linting passes).
  • Tests added/updated for changes.
  • All tests pass locally.
  • Documentation updated (if needed).

@nealedj
fix: support BYOT OAuth mode without requiring service URLs
c9747aa 
Fixes: "com.atlassian.confluence.api.service.exceptions.GoneException: This deprecated endpoint has been removed."
error when using ATLASSIAN_OAUTH_ENABLE (BYOT) + Atlassian Cloud.

**Changes:**
- Allow missing CONFLUENCE_URL/JIRA_URL when ATLASSIAN_OAUTH_ENABLE is set
- Mark services as available in environment detection for BYOT mode
- Preserve original is_cloud behavior based on oauth_config.cloud_id presence

**Configuration behavior:**
- ATLASSIAN_OAUTH_ENABLE=true + no URLs → creates minimal OAuth config
- is_cloud determination depends on ATLASSIAN_OAUTH_CLOUD_ID presence:
  - With ATLASSIAN_OAUTH_CLOUD_ID → is_cloud = True (Cloud API)
  - Without ATLASSIAN_OAUTH_CLOUD_ID → is_cloud = False (Server API)
- When URLs are provided, they override cloud detection as before

**Files modified:**
- src/mcp_atlassian/confluence/config.py
- src/mcp_atlassian/jira/config.py
- src/mcp_atlassian/utils/environment.py

**Tests added:**
- BYOT OAuth scenarios with/without URLs and cloud_id
- Environment service detection for minimal OAuth mode
- Various ATLASSIAN_OAUTH_ENABLE value format validation

This enables BYOT (Bring Your Own Token) OAuth deployments where user
tokens are provided via HTTP headers without requiring static service
URL configuration, while maintaining backward compatibility.
@nealedj
Linting
1dc330c
@TahaGHZ
Copy link

TahaGHZ commented Sep 29, 2025

Does this also fix the depricated Confluence v1 REST calls ?
I also ran into your same problem today with BYOT and confluence get page function tool

@nealedj
Copy link
Author

nealedj commented Sep 30, 2025

Assuming that you're running Confluence Cloud with BYOT then yes this should solve it.

@kelvinwijaya
Copy link

kelvinwijaya commented Oct 3, 2025

@sooperset , I am supportive for this PR

Currently if we create API Token, we are forced to use v1 API (unscoped) which may get deprecated

Scope vs Unscoped PATH

Feature Scoped PAT (Recommended) Unscoped PAT (Legacy)
Security Provides granular, least-privilege access by specifying exactly what actions the token can perform. Grants all API permissions that the user who created the token has.
Permissions Determined by specific scopes selected during creation (e.g., read:confluence-content). Inherited from the token creator, with no option to limit access.
API Endpoints Uses the central API endpoint format: https://api.atlassian.com/ex/confluence/{cloudId}/.... Uses older, site-specific endpoint formats: https://{your-site-name}.atlassian.net/....
Expiration Can be created with an optional expiration date (1–365 days) for added security. Does not automatically expire unless configured by an administrator.
Creation Created via the "Create API token with scopes" option in your Atlassian account's API tokens page. Created via the "Create API token" option in your Atlassian account's API tokens page.
Status Recommended and supported. Considered legacy and is being deprecated.

@nealedj
Copy link
Author

nealedj commented Oct 3, 2025

Duplicate PR raised in alternative project SharkyND/mcp-atlassian#13 since the maintainer of this one doesn't appear to be active any longer.

@kelvinwijaya kelvinwijaya mentioned this pull request Oct 3, 2025
Open
7 tasks
@TahaGHZ
Copy link

TahaGHZ commented Oct 3, 2025

In my current approach I'm not creating an API token (unscoped as you have mentioned), instead I'm using an Oauth2 app with granular and classic scoped to get a token and a refresh token, then these tokens are used along the MCP function tool calls.
This might be a better approach for you if you're authenticating multiple ATLASSIAN sites with your MCP instead of a 1on1 usage.

nszceta added a commit to nszceta/mcp-atlassian that referenced this pull request Oct 16, 2025
@nszceta
Merge PR sooperset#699: fix: support BYOT OAuth mode without requirin…
a6bb65c 
…g service URLs
@github-actions
Copy link

github-actions bot commented Oct 18, 2025

This pull request has been automatically marked as stale because it has not had recent activity for 14 days. It will be closed if no further activity occurs. Please leave a comment or remove the 'stale' label if you believe this PR is still relevant. Thank you for your contributions!

@github-actions github-actions bot added the stale label Oct 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Confluence V1 API used with Cloud + ATLASSIAN_OAUTH_ENABLE=true

3 participants

@nealedj @TahaGHZ @kelvinwijaya