Uploaded image for project: 'Admin Experience'
  1. Admin Experience
  2. AX-1603

Allow Service Account Impersonation for OAuth2 App Authorization in Cloud Products

XMLWordPrintable

    • 1

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Problem

      Currently, Confluence Cloud service accounts cannot be used to authorize third-party applications that require OAuth2 user consent (3LO flow).

      Service accounts are designed for automation and backend integrations using API tokens or the OAuth2 client credentials (2LO) flow, but they cannot be impersonated or used interactively to approve app connections.

      This limitation forces administrators to use personal user accounts to authorize integrations, which is not ideal for operational best practices.

      Suggested Solution

      Introduce a mechanism that allows administrators to use service accounts to authorize OAuth2 applications, either by enabling impersonation of service accounts for the 3LO consent flow or by providing a way for service accounts to approve app connections in a controlled, auditable manner.

      This could include:

      • Allowing service accounts to complete OAuth2 consent screens for app authorization.
      • Providing an admin-controlled consent workflow for service accounts.
      • Extending the 2LO flow to support more integration scenarios that currently require 3LO.

      Why This Is Important

      • Using personal accounts for app authorization increases security risks and complicates auditing, especially for organizations with strict compliance requirements.
      • Service accounts are intended for automation and integration, but their current limitations prevent them from being used in many real-world scenarios where OAuth2 user consent is required.
      • Enabling this feature would allow organizations to better manage, secure, and audit integrations, and avoid using privileged user accounts for non-human automation tasks.

      Workaround

      Currently there is no known workaround for this behavior using Service Accounts. A workaround will be added here when available.

      • If you want to avoid using your personal admin account, consider creating a dedicated integration user (with MFA and appropriate permissions) for this purpose, but this is still a "user" account, not a service account.

              Unassigned Unassigned
              0e1e414c5cb7 Edson B [Atlassian Support]
              Votes:
              6 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: