ENG-3015: Add API key auth fields to JiraTicketSchema

[JadeCara]

Ticket ENG-3015

Description Of Changes

Add dual authentication support to the jira_ticket connection type schema. This extends JiraTicketSchema with API key fields (domain, username, api_key) alongside existing OAuth 2.0 fields, enabling customers who already have a Jira SaaS connector to reuse their API key credentials for ticket creation without going through a separate OAuth flow.

A Pydantic model_validator enforces mutual exclusivity — OAuth and API key credentials cannot coexist on the same connection.

Note: This is the OSS schema change. The corresponding fidesplus PR adds client, service, and route changes that consume this schema.

Code Changes

• src/fides/api/schemas/connection_configuration/connection_secrets_jira_ticket.py — Add domain, username, api_key fields + mutual exclusivity validator; modernize Optional[str] → str | None
• tests/service/test_jira_ticket_connection.py — Add tests for API key secrets validation, partial API key, and mixed credential rejection

Steps to Confirm

1. Verify schema accepts valid API key credentials:

   JiraTicketSchema(domain="company.atlassian.net", username="user@co.com", api_key="token")

2. Verify schema rejects mixed OAuth + API key credentials:

   JiraTicketSchema(access_token="tok", domain="company.atlassian.net")  # raises ValidationError

3. Run pytest tests/service/test_jira_ticket_connection.py

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Mar 17, 2026 7:24pm
fides-privacy-center	Ignored		Mar 17, 2026 7:24pm

[greptile-apps]

Greptile Summary

This PR extends JiraTicketSchema with API key authentication fields (domain, username, api_key) and adds a Pydantic model_validator to enforce that OAuth and API key credentials cannot coexist on the same connection. It also modernizes Optional[str] type annotations to the str | None union syntax throughout the schema.

Key changes:

• JiraTicketSchema gains three new optional fields for API key auth, with inline comments clarifying their purpose
• A model_validator(mode="after") checks for mixed credential groups and raises a descriptive ValueError if both are present
• Module-level _OAUTH_FIELDS / _API_KEY_FIELDS tuples keep the validator readable and easy to update
• Four new unit tests cover valid API key credentials, partial credentials, and two mixed-credential rejection scenarios
• JiraTicketDocsSchema (which inherits NoValidationSchema) correctly bypasses the validator for API docs purposes

Minor issue found:

• The error message in _check_mutual_exclusivity lists only three of the five OAuth fields (access_token, cloud_id, site_url), omitting refresh_token and token_expiry. If either of those omitted fields triggers the validator, the error message will not mention them, making debugging harder.

Confidence Score: 4/5

• Safe to merge with one minor fix to the validator error message for completeness.
• The implementation is clean and well-tested. The mutual exclusivity validator logic is correct — all five _OAUTH_FIELDS are properly checked. The only issue is that the human-readable error message omits refresh_token and token_expiry, which could make debugging harder but does not affect correctness. No DB migrations, no breaking changes to existing OAuth behaviour.
• No files require special attention beyond the minor error message improvement in connection_secrets_jira_ticket.py.

Important Files Changed

Filename	Overview
src/fides/api/schemas/connection_configuration/connection_secrets_jira_ticket.py	Adds domain, username, and api_key fields to JiraTicketSchema with a model_validator enforcing mutual exclusivity between OAuth and API key credentials. Clean implementation; minor issue with the error message omitting refresh_token and token_expiry from the listed OAuth fields.
tests/service/test_jira_ticket_connection.py	Adds four new tests covering the API key auth path: valid full credentials, valid partial credentials, and two mixed-credential rejection cases. Coverage is solid for the happy path and main rejection cases; refresh_token/token_expiry mixed with API key fields is not explicitly exercised but the validator logic covers it.
changelog/7678-jira-dual-auth-schema.yaml	Changelog entry accurately describes the dual-auth schema addition.

_{Last reviewed commit: 5af2701}

[vcruces]

Looks good to me, simple change