-
Suggestion
-
Resolution: Unresolved
-
None
-
-
Jira Software, Jira Service Management, Jira Product Discovery, Confluence, Bitbucket
Issue Summary
Prior to the availability of true service accounts, users would create dummy user accounts not linked to a real person to be used as pseudo service accounts.
Now that service accounts are rolling out, customers are naturally assuming that they can just swap out the credentials in their existing scripts and integrations to use the service account email and api token instead.
The problem with this is that when authenticating via a service account, you cannot use the base url:
https://{site}.atlassian.net
Instead, you have to use one of these depending on the product:
https://api.atlassian.com/ex/jira/{cloudId}
https://api.atlassian.com/ex/confluence/{cloudId}
This is documented in this article: https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/
However, the response back from a failed request givhttps://api.atlassian.comes no hint that this is the problem. Especially if the endpoint in question is accessible without authentication and may return a 200 with a blank result set.
Steps to Reproduce
- Create a service account
- Create a credential with the appropriate scope for the service account
- In postman, make a GET request to
https://{site}.atlassian.net/rest/api/3/project
Expected Results
Some kind of response code and warning message that points out the user is trying to authenticate to the wrong endpoint.
Maybe something like:
Response 400
{
"message": "service accounts must use base url https://api.atlassian.com",
"details": "See https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/"
}
Actual Results
Response 200
[]
Workaround
No workaround as nothing is broken, it would just reduce support volume to include this message when customers are trying out service accounts.
- relates to
-
CES-112754 Loading...