Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
Description
Problem Definition
Personal access tokens are available on Jira since version 8.14.
Bearer tokens are an abstraction of the available authentication methods allowing access to Jira protected resources.
As long as the token is authentic, Jira allows access to protected resources independent of the client that issued the request, including browsers.
Suggested Solution
As a Jira administrator, I would like to create a list of allowed and/or denied clients that could authenticate using a bearer token (PAT).
That could be in the form of allow/deny list of user agents.
Workaround
Implement rules on the load balancer (or on a reverse proxy) similar to the following logic:
- A request has the Authorization request header with the Bearer authetication scheme.
- A request was made from a list of denied clients (user-agent).
- If the request matches both of the above, then the LB/Proxy denies the request.