Uploaded image for project: 'Admin Experience'
  1. Admin Experience
  2. AX-702

Expiry Date Needed for Organisation Rest Admin API Token

XMLWordPrintable

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      N/A

            [AX-702] Expiry Date Needed for Organisation Rest Admin API Token

            Rak Garg (Inactive) added a comment -
            Atlassian Update – 24 June 2019

            Hi everyone,

            Thanks for voting and commenting on this issue. I have good news! We've now increased the amount of time an API token stays valid to 1 year before it expires. New API tokens will now allow you to select an expiration date within 1 year from the day of creation. Your feedback is key to helping us prioritize features and learn more about how we can improve our products for you.

            Thanks for your continued feedback and involvement,
            Rak Garg
            Product Manager, Atlassian

            Rak Garg (Inactive) added a comment - Atlassian Update – 24 June 2019 Hi everyone, Thanks for voting and commenting on this issue. I have good news! We've now increased the amount of time an API token stays valid to 1 year before it expires. New API tokens will now allow you to select an expiration date within 1 year from the day of creation. Your feedback is key to helping us prioritize features and learn more about how we can improve our products for you. Thanks for your continued feedback and involvement, Rak Garg Product Manager, Atlassian

            Ashley Watson added a comment -

            Another approach is for Atlassian to just modify the Organisational REST API to be able to authenticate against a personal access token instead - as the PAT would only be accepted if the user that owns the PAT is an organisational administrator.

            Ashley Watson added a comment - Another approach is for Atlassian to just modify the Organisational REST API to be able to authenticate against a personal access token instead - as the PAT would only be accepted if the user that owns the PAT is an organisational administrator.

            Ashley Watson added a comment - - edited

            Until these issues can be properly resolved, please can the duration of organisational tokens to be increased to 90 days to allow time for Atlassian to work through the necessary changes. On the other hand, as PAT seem to have an indefinite life, why can't the same rules apply to these organisational tokens?

            Ashley Watson added a comment - - edited Until these issues can be properly resolved, please can the duration of organisational tokens to be increased to 90 days to allow time for Atlassian to work through the necessary changes. On the other hand, as PAT seem to have an indefinite life, why can't the same rules apply to these organisational tokens?

            Carl Stewart added a comment - - edited

            Hi,

            I'd like to make the following suggestions:

            • allow to tie to specific ip address if needed
            • must manually specify what ip address it will be tied to because some build servers do not have a GUI
            • email notification 7 days before it will expire
            • after generated, show the expiration date

             

            Carl Stewart added a comment - - edited Hi, I'd like to make the following suggestions: allow to tie to specific ip address if needed must manually specify what ip address it will be tied to because some build servers do not have a GUI email notification 7 days before it will expire after generated, show the expiration date  

            Ashley Watson added a comment -

            One of the simple ways Atlassian could address this is to have a mechanism to issue an API token for a session of say 1 hour with an undocumented button - say "create-admin-api-key-session-button". This would buy time for Atlassian to formally address this. When we have automation scripting on the Microsoft Graph APIs, we have to take the same approach - use one token to generate a short life token that we can use for the duration of a job run.

            Ashley Watson added a comment - One of the simple ways Atlassian could address this is to have a mechanism to issue an API token for a session of say 1 hour with an undocumented button - say "create-admin-api-key-session-button". This would buy time for Atlassian to formally address this. When we have automation scripting on the Microsoft Graph APIs, we have to take the same approach - use one token to generate a short life token that we can use for the duration of a job run.

            Ashley Watson added a comment -

            Through packet traces via firefox, I've been able to work out the minimum data that is needed to create a token programatically using a cloud.session.token.
            Here is some proof of concept BASH code which I'm now using in my automation;
            It is a temporary workaround to the issue I'm having - which means on a weekly process I can create a new token before the process starts.
            Once the token expires (7 days later) it will disappear anyway and there can be multiple tokens of the same name.
            A full solution would ideally have an API call that could generate and revoke a token officially (as well as setting the expiry date at creation).

            CloudSessionURL="https://$CloudInstance/rest/auth/1/session"
CloudData="{ \"username\": \"$CloudUserName\",\"password\": \"$CloudPassword\" }"

TokenName='testtoken'
SESSIONTOKEN=$(curl -s "$CloudSessionURL" -X POST -H "Content-Type: application/json" --data "$CloudData" |  jq -r '.[]|.value')

CloudAPI="https://admin.atlassian.com/gateway/api/adminhub/organization/$OrganisationID/apiTokens"
CurlData="{\"name\":\"$TokenName\"}"

Response=$(curl -s "$CloudAPI" -X POST -H "Cookie: cloud.session.token=$SESSIONTOKEN; _gali=create-admin-api-key-button" -H 'Content-type: application/json' --data $CurlData)
ExpirationDate=`echo "$Response"|jq -r '.expirationDate'`
TokenValue=`echo "$Response"|jq -r '.token'`
echo "Expiration date: $ExpirationDate"
echo "Token value: $TokenValue"

            Ashley Watson added a comment - Through packet traces via firefox, I've been able to work out the minimum data that is needed to create a token programatically using a cloud.session.token. Here is some proof of concept BASH code which I'm now using in my automation; It is a temporary workaround to the issue I'm having - which means on a weekly process I can create a new token before the process starts. Once the token expires (7 days later) it will disappear anyway and there can be multiple tokens of the same name. A full solution would ideally have an API call that could generate and revoke a token officially (as well as setting the expiry date at creation). CloudSessionURL= "https: //$CloudInstance/ rest /auth/1/session" CloudData= "{ \" username\ ": \" $CloudUserName\ ",\" password\ ": \" $CloudPassword\ " }" TokenName= 'testtoken' SESSIONTOKEN=$(curl -s "$CloudSessionURL" -X POST -H "Content-Type: application/json" --data "$CloudData" | jq -r '.[]|.value' ) CloudAPI= "https: //admin.atlassian.com/gateway/api/adminhub/organization/$OrganisationID/apiTokens" CurlData= "{\" name\ ":\" $TokenName\ "}" Response=$(curl -s "$CloudAPI" -X POST -H "Cookie: cloud.session.token=$SESSIONTOKEN; _gali=create-admin-api-key-button" -H 'Content-type: application/json' --data $CurlData) ExpirationDate=`echo "$Response" |jq -r '.expirationDate' ` TokenValue=`echo "$Response" |jq -r '.token' ` echo "Expiration date: $ExpirationDate" echo "Token value: $TokenValue"

            Ashley Watson added a comment -

            this is not just about the revokation of access tokens, it is about being able to automate things without the the token changing, so we need to have the option to specify the expiry date instead of it being defaulting to 7 days after creation.

            Ashley Watson added a comment - this is not just about the revokation of access tokens, it is about being able to automate things without the the token changing, so we need to have the option to specify the expiry date instead of it being defaulting to 7 days after creation.

              rgarg@atlassian.com Rak Garg (Inactive)
              sveeriah Suba V (Inactive)
              Votes:
              5 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: