I’m adding JIRA integration to Feature Upvote. To do this, we need the user to supply us with credentials for a JIRA account. This includes a username and password. We need to store these in our database.
Now, normally I’d never store a password in a database table in way that it could be read or decrypted. But I’m a bit puzzled how to do this when I require the decrypted password for my SaaS to access Jira on behalf of the customer.
How have you handled this?
Don’t store third party passwords at all. Instead, utilise the service’s APIs to integrate with your SaaS.
For example, Jira has an API and it has support for OAuth authentication (https://developer.atlassian.com/cloud/jira/platform/jira-rest-api-oauth-authentication/). In this model, the user grants your SaaS (a consumer in OAuth parlance) access to their Jira account (a resource). Usernames and passwords never are seen or required by your SaaS, but instead after the user authenticates, you will get an access token which you can store and use for subsequent API requests.
When we implemented JIRA support in Honeybadger, JIRA didn’t offer OAuth… we had to store usernames and passwords in our database. Since we use Postgres, we use the pgp_pub_encrypt_bytea and pgp_pub_decrypt_bytea functions of the pg_crypto extension to encrypt and decrypt that data. If you have to have access to the plaintext version of the password at some point (e.g., when interacting with their API), it’s the best you can do. Just be sure not to store the private key with the rest of the database data. 
Thanks @glenscott and @stympy. Between these two approaches, I should be able to solve this adequately.