Cloud.Session.Tokens and API Access to Admin.Atlassian.com

Posted 2 weeks ago by Ken

Management of users, groups, authentication, and directories happens outside of an organization’s primary Atlassian Cloud domain.   Even if an organization uses https://org1234.atlassian.net for their Jira, all user administration happens on https://admin.atlassian.com

Atlassian has provided very little in the way of API methods by which Cloud users may be managed.  For example, the quickest way to bulk-change users from one authentication policy to another is to create a CSV, and import that CSV from the front end.   This is… not convenient.

Unlike domains at the organizational level, the Atlassian Admin portal doesn’t use a username and a token for authentication.   Instead, it uses a cloud.session.token.  When you navigate from an organizational domain to the Admin portal, this token is generated and stored as a cookie.

I haven’t yet figured out how to generate the cloud.session.token with Python.   Instead, what we’re first going to do is authenticate against the admin portal in our web browser, and then “borrow” that cookie for our script.  Here are the steps to do this:

  • Log in to the Atlassian Cloud in your browser
  • Go to https://admin.atlassian.com/
  • Right-click the page, and inspect
  • Open the network tab
  • Refresh the page
  • Locate the GET request that was sent to https://admin.atlassian.com/
  • Copy value as CURL
  • Paste into a text file
  • Search the text file for the cloud.session.token value
  • Save the token value

Now we have the value we need to authenticate against the Admin portal.

Here’s some sample code that authenticates against the Admin Portal. You’ll need to supply your own Organizational ID.  If you can’t find that, you should definitely NOT be running this script.

import requests
import loguru

org_id = "<org_id>"
logger = loguru.logger

cookies = {
    'cloud.session.token': '<cloud.session.token>'
}

admin_portal_get_request = requests.get(f"https://admin.atlassian.com/gateway/api/adminhub/um/site/{org_id}/users", cookies=cookies)

logger.info(admin_portal_get_request.status_code)
logger.info(admin_portal_get_request.content)
logger.info(admin_portal_get_request.cookies)

 

There’s an easier way to accomplish the same thing.  After logging in to the Admin Portal, as above, you can use the browsercookie package to borrow the cookie already stored in your browser.  The example below uses Firefox:

import requests
import browsercookie
import loguru

logger = loguru.logger

org_id = "<org ID>"

url = f'https://admin.atlassian.com/gateway/api/adminhub/um/site/{org_id}/users'

cookies = browsercookie.firefox()  # Change to browser of your choice
response = requests.get(url, cookies=cookies)

logger.info(admin_portal_get_request.status_code)
logger.info(admin_portal_get_request.content)
logger.info(admin_portal_get_request.cookies)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>