Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-77582

Successful user login events are not added to the audit log when using a personal access token

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Low Low
    • None
    • 8.14.0, 8.20.0, 9.0.0, 9.4.0, 9.12.0, 9.14.0
    • Security

      Issue Summary

      When users authenticate on Jira, this information should be added as new events on the audit log when full coverage is enabled for the Security category.

      Requests made with personal access tokens (PAT) for REST API won't create a new entry on the audit log.

      Steps to Reproduce

      1. Install a vanilla instance of Jira Software Data Center.
        • This was validated on Jira 9.14.0 but dates back from initial PAT implementation on Jira 8.14.0.
      2. Enable full coverage for the Security category on the Audit logs.
      3. Run a sample REST API call using basic authentication.
        curl -v \
          -u user001:user001 \
          'Jira-Base-URL/rest/api/latest/myself'
        
      4. Search for new events on the Audit Log and notice the User login successful event.
      5. Run the same REST API call using a personal access token (PAT).
        curl -v \
          -H 'Authorization: Bearer user001-token' \
          'Jira-Base-URL/rest/api/latest/myself'
        
      6. Search for new events on the Audit Log

      Expected Results

      A new User login successful event is logged as part of the REST API request.

      Actual Results

      No new event is added.
      It seems the personal access token code isn't firing a user login event.
      This makes auditing inconsistent when personal access tokens (PAT) are used.

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available.

              vkovalskiy Vadym Kovalskiy (Inactive)
              tmasutti Thiago Masutti
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: