PAT (bearer) auth for Atlassian Server/Data Center instances

[suparious]

Description

This PR fixes authentication failures when using Personal Access Tokens (PATs) with Atlassian Server/Data Center instances. Server/DC PATs require Bearer authentication, but the current implementation incorrectly uses Basic authentication, resulting in 401 Unauthorized errors.

The fix properly implements Bearer authentication for Server/DC PATs while maintaining backward compatibility with Cloud instances and other authentication methods.

Fixes: #590 #648

Changes

• Added utils/auth.py with configure_server_pat_auth() function to properly set Bearer authentication headers
• Updated jira/client.py to detect Server/DC instances and use Bearer auth for PATs
• Updated confluence/client.py with the same Server/DC PAT authentication logic
• Updated integration tests to verify Bearer headers are correctly set for Server/DC PATs
• Added unit tests for the new authentication utility

Testing

• Unit tests added/updated
  • Added tests/unit/utils/test_auth.py to test Bearer header configuration
  • Updated existing PAT tests to verify Bearer authentication
• Integration tests passed
  • Modified tests/integration/test_authentication.py to verify Server/DC PAT flow
• Manual checks performed:
  • Tested against Jira Server 10.3.6 with PAT - successful authentication
  • Tested against Confluence Server with PAT - successful authentication
  • Verified backward compatibility with Cloud instances (API tokens still work)
  • Created test script test_server_pat.py for validation

Test Environment Details:

• Jira Server: Version 10.3.6, URL pattern: https://jira.company.com
• Confluence Server: Data Center instance, URL pattern: https://wiki.company.com
• Authentication: Personal Access Tokens (PATs) with Bearer authentication
• Verification: Successfully retrieved projects from Jira and pages from Confluence

Checklist

• Code follows project style guidelines (linting passes).
• Tests added/updated for changes.
• All tests pass locally.
• Documentation updated (if needed).
  • Added AUTH_FIX.md documenting the authentication matrix and fix details
  • Updated docstrings to clarify Server/DC vs Cloud authentication

Additional Context

Authentication Matrix After Fix:

Instance Type	Auth Method	Implementation	Status
Cloud	API Token	Basic Auth (username + token)	✅ Unchanged
Cloud	OAuth	Bearer Auth (via OAuth flow)	✅ Unchanged
Server/DC	Username/Password	Basic Auth	✅ Unchanged
Server/DC	PAT	Bearer Auth	✅ Fixed (was broken)

Why This Fix is Important:

Many organizations use self-hosted Atlassian Server/Data Center instances with PAT authentication for security reasons. The current implementation fails for these users because it incorrectly attempts Basic authentication with PATs, which Server/DC instances reject with 401 errors.

This fix enables the MCP Atlassian tool to work with:

• Atlassian Server (being phased out but still in use)
• Atlassian Data Center (the enterprise self-hosted solution)
• Organizations that cannot use Cloud instances due to data sovereignty requirements

Backward Compatibility:

The fix maintains 100% backward compatibility:

• Cloud instances continue using the existing authentication methods
• OAuth authentication is unchanged
• Basic auth with username/password still works for Server/DC
• The fix only affects PAT authentication for Server/DC instances

Related Documentation:

• Atlassian Server/DC PAT Documentation
• Authentication differences between Cloud and Server

[SharkyND]

Hey @suparious, thanks for raising this fix. The issue with this implementation is that we need to create PATs for both Jira and Confluence, so in that secenario, how can you pass both of Auth PATs in your header? Especially with Github Copilot, the mcp.json file needs to have seperate config for Jira and Confluence, something like this:

    "Jira": {
        "url": "http://localhost:8000/mcp",
        "headers": {
            "Authorization": "Token <PAT>"
        },
        "type": "http"
    },
    "Confluence": {
        "url": "http://localhost:8000/mcp",
        "headers": {
            "Authorization": "Token <PAT>"
        },
        "type": "http"
    }

The problem with this approach is it discovers tools for Jira and Confluence for both of the configs. 44 each 88 in total. Currently there is a limitation of 128 tools for Github copilot (microsoft/vscode-copilot-release#13065) hence this redundance feels like a waste, since other tools needs to be selected for the prompt.

I encourage you to check out this PR:
#683

this tries to fix the issue of Datacentes by passing both header at once, so you would need something like:

    "Atlassian": {
        "url": "http://localhost:8000/mcp",
        "headers": {
            "X-Atlassian-Read-Only-Mode": "true",
            "X-Atlassian-Jira-Personal-Token": "<PAT>",
            "X-Atlassian-Jira-Url": "<Ent. Jira Url>",
            "X-Atlassian-Confluence-Personal-Token": "<PAT>",
            "X-Atlassian-Confluence-Url": "<Ent. Confluence Url>",
        },
        "type": "http"
    }

Let me know if this helps.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity for 14 days. It will be closed if no further activity occurs. Please leave a comment or remove the 'stale' label if you believe this PR is still relevant. Thank you for your contributions!