Unable to download attachments in Confluence using a personal access token

Problem Definition

With newer versions of Confluence, personal access tokens can now be created as a means to access the REST API in Confluence Server/Data Center. While these tokens are a useful authorization alternative to access the REST API, one limitation that appears is that attachments that exist on Confluence issues are not accessible via these tokens.

Attempting to use curl (with verbose switch) to gather this attachment can show that the request is getting redirected to a login page.

curl --verbose -H "Authorization: Bearer [redacted token]" -O http://localhost:8141/secure/attachment/10000/filename.png
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8141 (#0)
> GET /secure/attachment/10000/filename.png HTTP/1.1
> Host: localhost:8141
> User-Agent: curl/7.64.1
> Accept: */*
> Authorization: Bearer [redacted]
> 
< HTTP/1.1 302 
< X-AREQUESTID: 1026x388x1
< Referrer-Policy: strict-origin-when-cross-origin
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-ancestors 'self'
< Strict-Transport-Security: max-age=31536000
< Set-Cookie: atlassian.xsrf.token=[redacted]_lout; Path=/
< Location: /login.jsp?permissionViolation=true&os_destination=%2Fsecure%2Fattachment%2F10000%2Ffilename.png&page_caps=&user_role=
< Content-Length: 0
< Date: Thu, 21 Jan 2021 23:06:21 GMT 

Suggested Solution

Either:

• Create a REST API endpoint that can in some manner provide the binary data stream of the attachments themselves in such a manner that this REST API endpoint could be called and those attachments downloaded using this personal access token
  OR
• Change the check that appears to be forcing any such requests using this token for authentication/authorization so that these requests can be made successfully without redirecting to a login page.

Why this is important

This is something you can do in Confluence Cloud today with a REST API token. The fact this does not work in Server is a lack of feature parity. Personal access tokens would be more useful if they could be used in this manner to also gather attachments on Confluence server issues.
This is also something that works if your curl call uses a basic authorization (supplying username and password with the -u switch)

Workaround

No workaround is currently available.