Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
Description
Problem Definition
The PAT documentation for Jira and Confluence can be found on Using Personal Access Tokens.
When it comes to design, features and limitations, this document hasn't been updated for quite some time.
Suggested Solution
Update the document providing more details on the design of PAT for Jira and Confluence.
It might be important to give some focus on security.
For example, some topics that could be discussed on the document:
- The token is a bypass on any MFA mechanism from their SSO.
- The token allows access to any path and is not restricted to only /rest methods.
- There's a limitation on which users authenticating with a PAT won't have an entry added to the audit log.
- While there's no in-product form to allow authentication on the browser, adding it to the request header allows access from a browser.
Current list of issues (features and bugs): https://jira.atlassian.com/issues/?jql=project%20in%20(JRASERVER%2C%20CONFSERVER)%20AND%20component%20%3D%20%22Personal%20Access%20Tokens%22%20and%20resolution%20%3D%20unresolved%20order%20by%20created