-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
8.14.0, 8.20.0, 9.0.0, 9.4.0, 9.12.0, 9.14.0
-
8.14
-
1
-
Severity 3 - Minor
-
Issue Summary
When users authenticate on Jira, this information should be added as new events on the audit log when full coverage is enabled for the Security category.
Requests made with personal access tokens (PAT) for REST API won't create a new entry on the audit log.
Steps to Reproduce
- Install a vanilla instance of Jira Software Data Center.
- This was validated on Jira 9.14.0 but dates back from initial PAT implementation on Jira 8.14.0.
- Enable full coverage for the Security category on the Audit logs.
- Run a sample REST API call using basic authentication.
curl -v \ -u user001:user001 \ 'Jira-Base-URL/rest/api/latest/myself'
- Search for new events on the Audit Log and notice the User login successful event.
- Run the same REST API call using a personal access token (PAT).
curl -v \ -H 'Authorization: Bearer user001-token' \ 'Jira-Base-URL/rest/api/latest/myself'
- Search for new events on the Audit Log
Expected Results
A new User login successful event is logged as part of the REST API request.
Actual Results
No new event is added.
It seems the personal access token code isn't firing a user login event.
This makes auditing inconsistent when personal access tokens (PAT) are used.
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available.
- is related to
-
CONFSERVER-97996 Successful user login events using PAT does not update last login date and are not added to the audit logs
- Needs Triage
- was cloned as
-
CONFSERVER-97996 Successful user login events using PAT does not update last login date and are not added to the audit logs
- Needs Triage