Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
8.14.0, 8.20.0, 9.0.0, 9.4.0, 9.12.0, 9.15.0
-
None
-
8.14
-
1
-
Severity 3 - Minor
-
Description
Problem Definition
While Bitbucket and Bamboo have their own PAT implementation, Jira and Confluence share the same code base through a plugin.
There's a public document on https://success.atlassian.com/solution-resources/agile-and-devops-ado/platform-administration/how-to-secure-jira-and-confluence-rest-api-calls-in-data-center stating:
These tokens are to be used for REST API calls only, they cannot be used to log in to the product UI.
While this is true for the design implementation on Bamboo and Bitbucket, this wasn't an implementation decision for Jira and Confluence.
Although there's no in-product UI to allow user authentication with a token, the solution doesn't filter out requests from a browser.
Suggested Solution
The document should be clear to which product that statement is true and provide more details on how it would work on Jira and Confluence