Change notice - Enhanced Validation of OAuthClientIds

What is changing?

Connect allocates each app a unique OAuthClientId. During the installation of an app, Connect passes the OAuthClientId to the app along with other parameters in the installation payload. When a site undergoes an import operation, the site’s clientKey will change and all connect apps are removed. If the app is subsequently installed on the site, the app will receive a new install callback with the new client key and an updated OAuthClientId value.

Atlassian Connect is enhancing the security of impersonation token requests to ensure older OAuthClientId are no longer accepted.

Currently older OAuthClientIds for a site may be used to send impersonation requests. This change will ensure that any received OAuthCliendIds are current, otherwise, the call will be rejected.

Once these changes reach production, an app making a token request using an expired OAuthClientId will receive a response with a 400 status code.

Why is this changing?

This change enhances Connect security by ensuring old OAuthClientId values can not be used. We realize that many apps have retained these old values and the associated clientKey values.

When will this change take effect?

We had commenced a progressive rollout of this change as we did not expect apps to be using expired values. In addition, where apps did use old values, we did not expect failures to cause significant issues for apps. From app vendor feedback we now realize this impacted some app operations.

We plan to re-commence rollout of this change in a more progressive manner.

• May 12: Changes will be released to the Jira and Confluence Cloud Vendor First program.
• June 16: Changes will be progressively rolled out to all remaining Jira and Confluence tenants on an app by app basis. Over a two week period, we’ll increase the percentage of apps receiving the change nominally from 5% to 50% to 100%. These dates and rollout percentages may change depending on whether issues are encountered by customers.

Testing your app?

Only Connect apps employing user impersonation are at risk from these changes. If this is the case for your app, then you should following procedure to ensure the app will be affected:

1. Create a new tenant by visiting http://go.atlassian.com/cloud-dev.
2. Enroll the tenant in the Cloud Vendor First program:
   1. Jira: http://go.atlassian.com/cloud-vendor-first-jira-form
   2. Confluence: http://go.atlassian.com/cloud-vendor-first-confluence-form
3. Install your app.
4. Export the site’s data and then import it back to the same site.
5. At this stage your app will be uninstalled and the site will have a new clientKey and OAuthClientId.
6. Re-install your app.
7. After May 12 (when the changes are enabled for Cloud Vendor First tenants), test your app’s features that utilize user impersonation.

Community thread

Visit this community thread to discuss these changes.