Rate this page:
Connect allocates each app a unique . During the installation of an app, Connect passes the to the app along with other parameters in the installation payload. When a site undergoes an import operation, the site’s will change and all connect apps are removed. If the app is subsequently installed on the site, the app will receive a new install callback with the new client key and an updated value.
Atlassian Connect is enhancing the security of impersonation token requests to ensure older are no longer accepted.
Currently older s for a site may be used to send impersonation requests. This change will ensure that any received OAuthCliendIds are current, otherwise, the call will be rejected.
Once these changes reach production, an app making a token request using an expired will receive a response with a 400 status code.
This change enhances Connect security by ensuring old values can not be used. We realize that many apps have retained these old values and the associated values.
We had commenced a progressive rollout of this change as we did not expect apps to be using expired values. In addition, where apps did use old values, we did not expect failures to cause significant issues for apps. From app vendor feedback we now realize this impacted some app operations.
We plan to re-commence rollout of this change in a more progressive manner.
Only Connect apps employing user impersonation are at risk from these changes. If this is the case for your app, then you should following procedure to ensure the app will be affected:
Visit this community thread to discuss these changes.
Rate this page: