Details
-
Bug
-
Resolution: Not a bug
-
Medium
-
None
-
10
-
Severity 3 - Minor
-
Description
Issue Summary
According to the documentation for the https://api.atlassian.com/users/{account_id}/manage UM REST API endpoint, the response should include information about MFA settings for the user:
- mfa.read: read the current MFA enrollment state for the user
- mfa.unenroll: unenroll the user from MFA
However this is not working. Indeed:
- Calling https://api.atlassian.com/users/{account_id}/manage does not include above properties in the response
- Calling https://api.atlassian.com/users/{account_id}/manage?privileges=mfa.read (or mfa.unenroll) always returns "allowed":true, whether you have MFA enabled or not:
curl -H 'Authorization: Bearer <API_KEY>' -H 'Accept: application/json' -X GET https://api.atlassian.com/users/<ACCOUNT_ID>/manage?privileges=mfa.read {"mfa.read":{"allowed":true}}
Steps to Reproduce
- Being an Organization administrator, go to admin.atlassian.com and Create an API KEY
- Use the api key to authorize a REST API call against the endpoint https://api.atlassian.com/users/{account_id}/manage (replace account_id with the account-id of a managed account)
Expected Results
Among the other properties, also mfa.read and mfa.unenroll are returned.
Actual Results
Everything is returned, but mfa.read and mfa.unenroll
Also:
- Calling: https://api.atlassian.com/users/{account_id}/manage?privileges=mfa.read or https://api.atlassian.com/users/{account_id}/manage?privileges=mfa.unenroll always returns "allowed":true regardless MFA being enabled or not.
curl -H 'Authorization: Bearer sDXXXXXXXXXXXXaa' -H 'Accept: application/json' -X GET https://api.atlassian.com/users/5acbXXXXXXXXXXXXede/manage?privileges=mfa.read,mfa.unenroll {"mfa.read":{"allowed":true}}
- Calling https://api.atlassian.com/users/{account_id}/manage?privileges=mfa.read,mfa.unenroll returns empty response:
curl -H 'Authorization: Bearer sDXXXXXXXXXXXXaa' -H 'Accept: application/json' -X GET https://api.atlassian.com/users/5acbXXXXXXXXXXXXede/manage?privileges=mfa.read,mfa.unenroll {}
Workaround
No workaround available at the moment.