Connect allocates each app a unique OAuthClientId
. During the installation of an app, Connect passes the OAuthClientId
to the app along with other parameters in the installation payload. When a site undergoes an import operation, the site’s clientKey
will change and all connect apps are removed. If the app is subsequently installed on the site, the app will receive a new install callback with the new client key and an updated OAuthClientId
value.
Atlassian Connect is enhancing the security of impersonation token requests to ensure older OAuthClientId
are no longer accepted.
Currently older OAuthClientId
s for a site may be used to send impersonation requests. This change will ensure that any received OAuthCliendIds are current, otherwise, the call will be rejected.
Once these changes reach production, an app making a token request using an expired OAuthClientId
will receive a response with a 400 status code.
This change enhances Connect security by ensuring old OAuthClientId
values can not be used. We realize that many apps have retained these old values and the associated clientKey
values.
We had commenced a progressive rollout of this change as we did not expect apps to be using expired values. In addition, where apps did use old values, we did not expect failures to cause significant issues for apps. From app vendor feedback we now realize this impacted some app operations.
We plan to re-commence rollout of this change in a more progressive manner.
Only Connect apps employing user impersonation are at risk from these changes. If this is the case for your app, then you should following procedure to ensure the app will be affected:
clientKey
and OAuthClientId
.Visit this community thread to discuss these changes.
Rate this page: