Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
Admin Guide
App Configuration
Administrators can adjust the app settings in the corresponding management section.
Jira
In Jira, navigate to the User management section and select API Token Authentication
The System-Wide Settings tab contains all settings applying to all users using the app.
Admins can create their own tokens in the API Tokens tab before that
Confluence
In Confluence, scroll down to the Users & Security section in the administration configuration panel and select API Token Authentication
System-Wide Settings
The app contains a few System-Wide Settings settings, available for administrators only.
Settings here apply to all users accessing the REST API with Basic Authentication and any of the tokens they've created for their user in Jira or Confluence.
Please find more details about the options currently available below.
Token Validity Time
Administrator can define a maximum validity time of a token, if required.
Options are:
- Never
- 6 month
- 1 year
- 2 years
Users may override this according to the boundaries allowed.
Examples:
- System Wide Setting is 6 month - users can select 6 month only, nothing else
- System Wide Setting is 1 year - users can select 1 year or 6 month, nothing else
- System Wide Setting is 2 years - users can select 2 years, 1 year or 6 month, nothing else
- System Wide Setting is Never - users can select any validity time from the select list
IP Address Restrictions
Admins may restrict REST API requests by IP- addresses or ranges. This restriction will apply to both token- and password authentication,
should the latter not have been disabled (see next section).
Just enter one or more addresses or address ranges with the + button or delete existing ones and save your settings.
If no addresses were provided, requests from every IP address will be allowed.
If you need to find out why you can't access the REST API after applying IP restrictions, please read our troubleshooting guide.
Disable Basic Auth with passwords
You may want to disable password authentication for REST endpoints completely. Should the token provided not match any user's tokens,
a 403 status code will be returned. With Basic Auth and user passwords enabled, Jira will try to authenticate the user by password, provided that it is correct.
Permissions
Allow only admins to create tokens
With that option enabled, sys admin users can create tokens for themselves or for other users (via the REST API only currently).
Token creation for other users will soon be also possible via the admin UI.
With that option enabled, any non sysadmin users won't be able to create tokens for their user account anymore, regardless if via REST or the Web interface.
The API Token Authentication link will be removed from their top right user settings picker (see User Guide) and if they would browse the page manually,
they see a info box instead:
Trying to create a token from a page still open will result in a 403 Forbidden:
Allow regular users to use tokens created for them
Even with only admins being able to create tokens, you might want to allow your regular users to use the tokens created for them
or to continue using tokens they've created when it was still allow:
Pitfalls
When playing and testing with wrong passwords or tokens, be aware that this can lead to too many failed logins recorded.
Go to your user manager and reset the failed login count for the user you are testing with.
Logging
Audit Logging
Since version 1.1.0, creating and deleting tokens (both deleting a single token or all for a user as an admin)
will cause an audit log record being created in Jira (https://your-jira/auditing/view) or Confluence (https://your-confluence/admin/auditlogging.action).
This become especially important, when an admin creates a token on behalf of some other user or just in general, to trace API Token usage.
Logfile
After changing the log level for the package de.resolution.apitokenauth to INFO
Jira: https://your-jira/secure/admin/ViewLogging.jspa / read here on how make the log level persistent
Confluence: https://your-confluence/admin/viewlog4j.action / read here on how make the log level persistent
you'll see two authentication related entries in the log file of Jira or Confluence, containing a description of the event,
the username and the path of the REST endpoint for the call.
|
or
|