ENG-2645: FE Support Jira Ticket integration oauth and test flows

[eastandwestwind]

Ticket [https://ethyca.atlassian.net/browse/ENG-2645] (fides portion)

Please test alongside https://github.com/ethyca/fidesplus/pull/3205

Description Of Changes

Adds the Jira OAuth Connection UI to the admin interface, gated behind the alphaJiraIntegration feature flag. Admins can connect to Jira via OAuth, view connection status, test connectivity, and disconnect. The backend authorized property on ConnectionConfig is extended to support jira_ticket connections by checking for an access_token in secrets.

Code Changes

New files:

• useJiraAuthorization.ts: Custom hook for initiating Jira OAuth flow via POST /plus/oauth/jira/initiate and redirecting to Atlassian
• jiraTicketInfo.tsx: Integration type metadata for the Jira Ticket integration (name, category, tags, overview text)

Frontend integration wiring:

• ConnectionType.ts: Added JIRA_TICKET enum value
• allIntegrationTypes.tsx: Registered JIRA_TICKET in INTEGRATION_TYPE_MAP
• plus.slice.ts: Added initiateJiraOAuth mutation endpoint
• SelectIntegrationType.tsx: Filtered Jira from add-integration modal when flag is off
• index.tsx (integrations list): Filtered Jira from connection queries when flag is off; shows "Unauthorized" status for unauthorized Jira connections
• [id].tsx (integration detail): Added OAuth callback handling (?jira_auth=success/error), Jira auth hook wiring, feature flag gating, removed "Linked system" tab for Jira

Connection status and authorization UI:

• ConnectionStatusNotice.tsx: Shows "Connection not authorized" for unauthorized Jira connections instead of "Connection not tested"
• IntegrationBox.tsx: Dispatches to useJiraAuthorization for Jira connections; shows "Authorize with Jira" button
• useFeatureBasedTabs.tsx: Passes connectionType to status notice; shows Jira-specific button label
• useAuthorizeIntegrationStep.tsx: Shows "Authorize integration" setup step for Jira connections

Configuration form fixes:

• ConfigureIntegrationForm.tsx: Excluded JIRA_TICKET from secrets form and system linking dropdown (uses OAuth, not direct secrets)
• useDatasetConfigField.tsx: Skip dataset config query when connection key is empty

Backend:

• connectionconfig.py: Extended authorized property to return True for jira_ticket connections with an access_token in secrets

Steps to Confirm

Prerequisites:

• Retrieve the OAuth app client_id and client_secret from Atlassian Developer Console > Settings
• Set the callback URL at Atlassian Developer Console > Authorization to http://localhost:8080/api/v1/plus/oauth/jira/callback
• Set env vars on the fidesplus container:

  FIDESPLUS__JIRA__CLIENT_ID=<client_id>
  FIDESPLUS__JIRA__CLIENT_SECRET=<client_secret>
  FIDESPLUS__JIRA__REDIRECT_URI=http://localhost:8080/api/v1/plus/oauth/jira/callback
  

1. Create a Jira ticket integration from the admin UI integrations page
2. Click "Authorize with Jira" and verify redirect to Atlassian consent screen
3. Accept consent
4. Verify redirect back to the integration detail page with a success toast
5. Verify the button changes from "Authorize with Jira" to "Test connection"
6. Verify the integration setup sidebar shows "Authorize integration" as completed
7. Click "Test connection" and verify it succeeds
8. Verify the integrations list shows "Unauthorized" for Jira connections that have not been authorized
9. Delete the integration and verify it is removed

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

Summary by CodeRabbit

• New Features

  • Jira OAuth connection UI for authorizing, testing, and managing Jira integrations
  • Alpha feature flag to enable Jira integration in non-production environments
  • Jira-aware connection status and messaging across integration screens
  • OAuth callback handling for a seamless Jira authorization flow

• Documentation

  • Added changelog entry describing the Jira integration addition

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Mar 24, 2026 3:28pm
fides-privacy-center	Ignored		Mar 24, 2026 3:28pm

[coderabbitai]

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 87ceb5c3-947e-4165-a11d-144b0a6fae15

📥 Commits

Reviewing files that changed from the base of the PR and between ea12006 and b833f89.

📒 Files selected for processing (17)

• changelog/7610.yaml
• clients/admin-ui/src/features/datastore-connections/system_portal_config/forms/fields/DatasetConfigField/useDatasetConfigField.tsx
• clients/admin-ui/src/features/integrations/ConnectionStatusNotice.tsx
• clients/admin-ui/src/features/integrations/IntegrationBox.tsx
• clients/admin-ui/src/features/integrations/add-integration/ConfigureIntegrationForm.tsx
• clients/admin-ui/src/features/integrations/add-integration/SelectIntegrationType.tsx
• clients/admin-ui/src/features/integrations/add-integration/allIntegrationTypes.tsx
• clients/admin-ui/src/features/integrations/hooks/useFeatureBasedTabs.tsx
• clients/admin-ui/src/features/integrations/hooks/useJiraAuthorization.ts
• clients/admin-ui/src/features/integrations/integration-type-info/jiraTicketInfo.tsx
• clients/admin-ui/src/features/integrations/setup-steps/hooks/useAuthorizeIntegrationStep.tsx
• clients/admin-ui/src/features/plus/plus.slice.ts
• clients/admin-ui/src/flags.json
• clients/admin-ui/src/pages/integrations/[id].tsx
• clients/admin-ui/src/pages/integrations/index.tsx
• clients/admin-ui/src/types/api/models/ConnectionType.ts
• src/fides/api/models/connectionconfig.py

 _______________________________________________________________________________
< Fancy algorithms are slow when n is small, and n is usually small. - Rob Pike >
 -------------------------------------------------------------------------------
  \
   \   \
        \ /\
        ( )
      .( o ).

_{✏️ Tip: You can disable in-progress messages and the fortune message in your review settings.}

Tip

CodeRabbit can enforce grammar and style rules using `languagetool`.

Configure the reviews.tools.languagetool setting to enable/disable rules and categories. Refer to the LanguageTool Community to learn more.

📝 Walkthrough

Walkthrough

Adds Jira ticket integration with OAuth: new ConnectionType, UI components and hooks for Jira authorization, backend OAuth initiation endpoint, feature flag gating, and UI/authorization flow adjustments across admin UI and backend.

Changes

Cohort / File(s)	Summary
Changelog & Flags changelog/7610.yaml, clients/admin-ui/src/flags.json	Add changelog entry and alphaJiraIntegration feature flag (dev enabled) to gate Jira integration.
Types & Backend clients/admin-ui/src/types/api/models/ConnectionType.ts, src/fides/api/models/connectionconfig.py	Add JIRA_TICKET to ConnectionType enum; backend ConnectionConfig.authorized now treats jira_ticket as authorized when secrets contain an access_token.
API slice clients/admin-ui/src/features/plus/plus.slice.ts	Add initiateJiraOAuth mutation and exported useInitiateJiraOAuthMutation hook (POST to plus/oauth/jira/initiate).
Jira Integration Info clients/admin-ui/src/features/integrations/integration-type-info/jiraTicketInfo.tsx, clients/admin-ui/src/features/integrations/add-integration/allIntegrationTypes.tsx	Introduce Jira integration type info (placeholder, overview, tags, features) and map ConnectionType.JIRA_TICKET to it.
Jira Authorization Hook clients/admin-ui/src/features/integrations/hooks/useJiraAuthorization.ts	New hook to initiate Jira OAuth, handle errors, redirect to authorization_url, and compute needsAuthorization/isLoading.
UI: Authorization & Flows clients/admin-ui/src/features/integrations/IntegrationBox.tsx, clients/admin-ui/src/features/integrations/ConnectionStatusNotice.tsx, clients/admin-ui/src/features/integrations/hooks/useFeatureBasedTabs.tsx, clients/admin-ui/src/features/integrations/setup-steps/hooks/useAuthorizeIntegrationStep.tsx	Branch UI/authorization logic for Jira vs standard integrations: pass connectionType, adapt messages, button label ("Authorize with Jira"), and requiresAuth computation.
Add-Integration Flow & Filters clients/admin-ui/src/features/integrations/add-integration/SelectIntegrationType.tsx, clients/admin-ui/src/features/integrations/add-integration/ConfigureIntegrationForm.tsx	Feature-flag gated filtering to hide Jira when flag disabled; treat JIRA_TICKET like MANUAL_TASK for secrets/system linking (hide secrets/system selector).
Pages & Routing clients/admin-ui/src/pages/integrations/[id].tsx, clients/admin-ui/src/pages/integrations/index.tsx	Integrate Jira auth flow and OAuth callback handling, shallow route refresh, redirect when alpha flag off, Jira-specific status and tooltip rendering, and dual-flag filtering for queried connection types.
Data-fetch tweak clients/admin-ui/src/features/datastore-connections/.../useDatasetConfigField.tsx	Make dataset-config query conditional using skip: !connectionKey to avoid fetching without a key.
Misc (flags / changelog) changelog/7610.yaml	Add changelog entry referencing the Jira OAuth UI feature.

Sequence Diagram(s)

sequenceDiagram
    participant User as User
    participant UI as Admin UI
    participant API as API Server
    participant Jira as Jira OAuth
    participant DB as Database

    User->>UI: Click "Authorize with Jira"
    UI->>API: POST /plus/oauth/jira/initiate {connection_key}
    API->>DB: Read connection & secrets
    DB-->>API: connection data
    API-->>UI: {authorization_url}
    UI->>Jira: Redirect user to authorization_url
    Jira->>User: User authenticates & approves
    Jira-->>UI: Redirect back with jira_auth param
    UI->>API: Refresh connection/test data
    API->>DB: Check secrets for access_token
    DB-->>API: access_token present
    API-->>UI: Connection authorized
    UI->>User: Show authorization result (authorized / not authorized)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested reviewers

• gilluminate

Poem

🐰 I hopped to a button, shiny and new,
I nudged the OAuth path right through,
A Jira ticket, a flutter, a bright little cheer,
Tokens and flags make the pathway clear,
Rabbit-approved — integration hops anew!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and specifically summarizes the main change: adding Jira Ticket integration OAuth and test flows to the frontend, which is the primary objective of the changeset.
Description check	✅ Passed	The PR description follows the template structure with all required sections completed: ticket reference, detailed description of changes, comprehensive code changes listing, clear confirmation steps, and a pre-merge checklist with relevant items marked.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ENG-2645

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR wires up the Jira OAuth connection UI in the admin interface — including OAuth initiation, callback handling, connection status display, and feature-flag gating — and extends the backend authorized property to support jira_ticket connections. The integration follows established patterns (e.g., useIntegrationAuthorization, integration type info files, feature flags) and the frontend plumbing is generally sound. However, there are a few issues to address before merging:

• Backend logic bug (connectionconfig.py): The authorized property checks for the presence of the access_token key in secrets rather than its truthiness, so a stored empty or null token would still report the connection as authorized.
• Unintentional regression in plus.slice.ts: The refactor of the custom field definition mutations silently removes Taxonomy History cache invalidation, which could leave the taxonomy UI stale after create/update/delete operations. Additionally, the getCustomFieldDefinitionsByResourceType query was changed from a queryFn (which explicitly mapped HTTP 404 to an empty array) to query + transformResponse (which only runs on successful responses) — if the backend still returns 404 for missing resource types, consumers will now receive an error instead of an empty list.
• Premature cache invalidation: initiateJiraOAuth invalidates "Datastore Connection" at the moment the authorization URL is returned, before any credentials have actually been persisted server-side.

Confidence Score: 2/5

• Not safe to merge without addressing the backend authorization logic bug and confirming the custom field definition cache/404 regression.
• The Jira-specific frontend flow itself is well-constructed and feature-flagged, limiting blast radius. However, the backend authorized property bug means an empty/null token would pass as authorized, a real correctness issue. The unrelated refactoring in plus.slice.ts drops Taxonomy History cache tags and changes 404 semantics for an existing query, both of which could introduce regressions in other parts of the application independent of the Jira feature flag.
• src/fides/api/models/connectionconfig.py (authorization logic) and clients/admin-ui/src/features/plus/plus.slice.ts (Taxonomy History invalidation and 404 handling).

Important Files Changed

Filename	Overview
src/fides/api/models/connectionconfig.py	Extends authorized property for jira_ticket connections; contains a logic bug where key existence is checked rather than value truthiness, meaning a stored empty/null token would still report as authorized.
clients/admin-ui/src/features/plus/plus.slice.ts	Adds initiateJiraOAuth mutation and refactors custom field definition endpoints; the refactor silently drops Taxonomy History cache invalidation from three mutations and changes the getCustomFieldDefinitionsByResourceType query in a way that may break 404 handling for empty result sets.
clients/admin-ui/src/features/integrations/hooks/useJiraAuthorization.ts	New hook that initiates the Jira OAuth flow and derives needsAuthorization state; implementation is clean and follows existing authorization hook patterns.
clients/admin-ui/src/pages/integrations/[id].tsx	Adds OAuth callback handling via useEffect, wires Jira auth hook, and gates Jira detail view behind the feature flag; correctly uses a ref to prevent double-handling and shallow routing to clean up query params.
clients/admin-ui/src/features/integrations/IntegrationBox.tsx	Correctly dispatches to useJiraAuthorization for Jira connections, shows a Jira-specific button label, and passes connectionType to ConnectionStatusNotice.

Comments Outside Diff (2)

1. clients/admin-ui/src/features/plus/plus.slice.ts, line 393 (link)

   Taxonomy History cache invalidation silently removed

   The original createCustomFieldDefinition, updateCustomFieldDefinition, and deleteCustomFieldDefinition mutations each invalidated { type: "Taxonomy History", id: resource_type } and { type: "Taxonomy History", id: field_type } tags. The refactored code drops those tags entirely, meaning UI components that depend on the Taxonomy History cache will no longer refresh automatically after these mutations.

   This change appears unrelated to the Jira integration and looks like it may be an unintentional regression. The same omission applies to the updateCustomFieldDefinition (line ~408) and deleteCustomFieldDefinition (line ~424) mutations. If the Taxonomy History tag is intentionally being retired, please confirm that all dependent queries have been updated accordingly.

2. clients/admin-ui/src/features/plus/plus.slice.ts, line 501-504 (link)

   Cache invalidation timing may be premature

   This mutation only returns a redirect URL and sends the user off-site — no connection state is changed at this point. Invalidating "Datastore Connection" here triggers an unnecessary refetch before the Jira authorization flow has completed and credentials have been saved server-side.

   Consider removing invalidatesTags from this mutation and instead triggering the connection refresh after the authorization completes successfully (inside the OAuth callback handler in [id].tsx).

_{Last reviewed commit: b0e0ac1}

[greptile-apps]

Access token presence check allows falsy values

The expression "access_token" in self.secrets only verifies that the key exists in the dict, not that the value is truthy. A stored access_token of None, "", or 0 would cause authorized to return True even though there is no usable token.

Suggested change

	return bool(self.secrets and "access_token" in self.secrets)
	return bool(self.secrets and self.secrets.get("access_token"))

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

clients/admin-ui/src/pages/integrations/index.tsx (1)

201-230: ⚠️ Potential issue | 🟡 Minor

Check authorization before the last-test tooltip.

After a Jira connection is disconnected, last_test_timestamp can still be populated from the earlier healthy run. With the current ordering, the tag shows Unauthorized but the tooltip still says Last connection: ....

💡 Suggested fix

-        const tooltipText = record.last_test_timestamp
-          ? `Last connection: ${formatDate(record.last_test_timestamp)}`
-          : isJiraTicket && !record.authorized
-            ? "Jira connection has not been authorized"
-            : "The connection has not been tested";
+        const tooltipText =
+          isJiraTicket && !record.authorized
+            ? "Jira connection has not been authorized"
+            : record.last_test_timestamp
+              ? `Last connection: ${formatDate(record.last_test_timestamp)}`
+              : "The connection has not been tested";

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/admin-ui/src/pages/integrations/index.tsx` around lines 201 - 230,
The tooltip logic currently prefers record.last_test_timestamp over
authorization, causing an Unauthorized Jira connection to still show a "Last
connection" tooltip; update the tooltipText computation (near variables
isJiraTicket, getConnectionStatus, tooltipText, and record) to check
isJiraTicket && !record.authorized first and return "Jira connection has not
been authorized" in that case, otherwise fall back to the last_test_timestamp
message or the default "The connection has not been tested".

🧹 Nitpick comments (1)

clients/admin-ui/src/pages/integrations/[id].tsx (1)

132-138: Side effect during render mirrors existing pattern but could be improved.

Calling router.push during render is technically a side effect. This follows the existing pattern at lines 125-130, but both could benefit from being moved into a useEffect to avoid potential React warnings or unexpected behavior during concurrent rendering.

Since this matches the existing code style in the file, this is acceptable for consistency, but consider refactoring both guards to use useEffect in a follow-up.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/admin-ui/src/pages/integrations/`[id].tsx around lines 132 - 138,
Render currently performs a side-effect by calling router.push when connection
exists, connection.connection_type === ConnectionType.JIRA_TICKET, and
!alphaJiraIntegration; move this navigation logic into a React useEffect to
prevent side-effects during render: create a useEffect that depends on
connection, connection.connection_type, alphaJiraIntegration and router (or
router.asPath) and inside it check the same condition and call
router.push(INTEGRATION_MANAGEMENT_ROUTE) so the redirect runs as an effect
rather than during render.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@clients/admin-ui/src/features/datastore-connections/system_portal_config/forms/fields/DatasetConfigField/useDatasetConfigField.tsx`:
- Around line 25-28: The component uses the query result variable data from
useGetConnectionConfigDatasetConfigsQuery(connectionKey, { skip: !connectionKey
}) which can retain the previous successful result when skipped; change to read
currentData instead (or clear derived dataset options when !connectionKey) so
that when connectionKey is falsy the datasets become undefined rather than stale
values—update the useGetConnectionConfigDatasetConfigsQuery usage to extract
currentData and use that in the downstream logic that computes dataset options
(or add an explicit guard that sets options to []/undefined when
!connectionKey).

In `@clients/admin-ui/src/features/integrations/hooks/useJiraAuthorization.ts`:
- Around line 24-43: The handleAuthorize function is not re-entrant safe; add a
guard to prevent concurrent calls (use the existing isLoading from
useInitiateJiraOAuth or a local ref flag like isAuthorizingRef) so if isLoading
or isAuthorizingRef.current is true you return early, set the flag true before
calling initiateJiraOAuth({ connection_key: connection.key }) and clear it in a
finally block, and only set window.location.href after a successful single
response; update handleAuthorize to check and set this guard around the call to
initiateJiraOAuth/unwrap to avoid minting multiple OAuth states and following
stale redirects.

---

Outside diff comments:
In `@clients/admin-ui/src/pages/integrations/index.tsx`:
- Around line 201-230: The tooltip logic currently prefers
record.last_test_timestamp over authorization, causing an Unauthorized Jira
connection to still show a "Last connection" tooltip; update the tooltipText
computation (near variables isJiraTicket, getConnectionStatus, tooltipText, and
record) to check isJiraTicket && !record.authorized first and return "Jira
connection has not been authorized" in that case, otherwise fall back to the
last_test_timestamp message or the default "The connection has not been tested".

---

Nitpick comments:
In `@clients/admin-ui/src/pages/integrations/`[id].tsx:
- Around line 132-138: Render currently performs a side-effect by calling
router.push when connection exists, connection.connection_type ===
ConnectionType.JIRA_TICKET, and !alphaJiraIntegration; move this navigation
logic into a React useEffect to prevent side-effects during render: create a
useEffect that depends on connection, connection.connection_type,
alphaJiraIntegration and router (or router.asPath) and inside it check the same
condition and call router.push(INTEGRATION_MANAGEMENT_ROUTE) so the redirect
runs as an effect rather than during render.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 669b2818-366a-4b94-a893-010d5cfacb17

📥 Commits

Reviewing files that changed from the base of the PR and between 9d24a80 and b0e0ac1.

📒 Files selected for processing (17)

• changelog/7610.yaml
• clients/admin-ui/src/features/datastore-connections/system_portal_config/forms/fields/DatasetConfigField/useDatasetConfigField.tsx
• clients/admin-ui/src/features/integrations/ConnectionStatusNotice.tsx
• clients/admin-ui/src/features/integrations/IntegrationBox.tsx
• clients/admin-ui/src/features/integrations/add-integration/ConfigureIntegrationForm.tsx
• clients/admin-ui/src/features/integrations/add-integration/SelectIntegrationType.tsx
• clients/admin-ui/src/features/integrations/add-integration/allIntegrationTypes.tsx
• clients/admin-ui/src/features/integrations/hooks/useFeatureBasedTabs.tsx
• clients/admin-ui/src/features/integrations/hooks/useJiraAuthorization.ts
• clients/admin-ui/src/features/integrations/integration-type-info/jiraTicketInfo.tsx
• clients/admin-ui/src/features/integrations/setup-steps/hooks/useAuthorizeIntegrationStep.tsx
• clients/admin-ui/src/features/plus/plus.slice.ts
• clients/admin-ui/src/flags.json
• clients/admin-ui/src/pages/integrations/[id].tsx
• clients/admin-ui/src/pages/integrations/index.tsx
• clients/admin-ui/src/types/api/models/ConnectionType.ts
• src/fides/api/models/connectionconfig.py

[JadeCara]

Tried it locally! No issues :)

[jpople]

Code looks good and did some manual testing, everything working as expected for me.