Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-54412

REST API - Improved HTTP Authentication

XMLWordPrintable

      Suggestion Description

      Confluence Server REST API is a simple resource that help administrators to perform operations that would take some time of their day to day activities in a couple seconds, instead of a couple minutes. It is a known fact that only basic authentication is supported when it comes to the API and the most secure you can get is through a MD5 hash in your request payload instead of sending your username and password as clear text.

      Turns out that there are several ways to make the API more secure, like for instance, interacting with SAML/OKTA or even using a Token Based authentication in-app. The intent of this suggestion is to enable the use of resources like SAML/OKTA for the REST API or to enable a Token Based authentication to provide secure communication in between client and application.

      Feature Requests for different applications

      The same request already exists for Jira (JRASERVER-66872), will be released for BitBucket (BSERV-2722) and has been requested to Bamboo (BAM-12095) as well.

      Sample Payload

      Currently, if we want to create a page, for example, we would need to execute below call:

      curl -u "adminuser:adminpassword" -X POST -H 'Content-Type: application/json' -d'{"type":"page","title":"PageAPI","space":{"key":"API"},"body":{"storage":{"value":"<p>This is a page</p>","representation":"storage"}}}' http://myconfluencebaseurl.com | python -mjson.tool

      As can be seen above, we do need to send an username and password at the header of the request to have it working properly, which is considered insecure. This is what we would like to avoid.

          Form Name

            [CONFSERVER-54412] REST API - Improved HTTP Authentication

            Christian Reichert (resolution) added a comment -

            Hi Team,

            we have implemented the API Key/Token concept as a 3rd party App for Confluence (and Jira). It's available for both DC & Server.

            It also has some additional security features (blocking normal basic auth, IP address restrictions, etc) that some people may find interesting.

            I also agree this (or AUTH2) should be a core feature of confluence but as long as it isn't, our App may help some people already.

            P.S. Full disclosure, I work for resolution, a marketplace vendor.

            Christian Reichert (resolution) added a comment - Hi Team, we have implemented the API Key/Token concept as a 3rd party App for Confluence (and Jira). It's available for both DC & Server. API Token Authentication for Confluence It also has some additional security features (blocking normal basic auth, IP address restrictions, etc) that some people may find interesting. I also agree this (or AUTH2) should be a core feature of confluence but as long as it isn't, our App may help some people already. P.S. Full disclosure, I work for  resolution, a marketplace vendor.

              bmcnamara Brendan McNamara
              mhorlle Marcelo Horlle
              Affected customers:
              27 This affects my team
              Watchers:
              31 Start watching this issue

                Created:
                Updated:
                Resolved: