The the os_username parameter has been blocked but it is still used in the users onboarding notifications

Summary

In the notification sent to the users generate their first password, the button Set my password does not work since it contains the os_username url parameter that has been blocked as documented in the JIRA and Confluence Cloud os_username and os_password embedded in URL no longer available KB article.

Indeeed, when clicking on the "Set my Password" button the users are sent to a link like the below one:

• https://INSTANCE_NAME.atlassian.net/secure/ResetPassword!default.jspa?os_username=USER_NAME&token=SOME_TOKEN

Environment

JIRA Cloud 1000.747.0

Steps to Reproduce

1. Invite a new user to the instance, e.g. by using the REST API endpoint /rest/api/latest/user (sending the parameter "notification":"true").
2. The user that got invited opens the "Account created" notification and click on the Set my password button

Expected Results

The link open correctly and the user is able to set the password

Actual Results

The below message is returned:

REQUEST DENIED. Refer to https://confluence.atlassian.com/display/CLOUDKB/JIRA+and+Confluence+Cloud+os_username+and+os_password+embedded+in+URL+no+longer+available for details.

Workaround

Depending if your instance is using Atlassian Accounts or not, you can either:

• Use the password reset link that is present at the bottom of the notification.
• Reset the password from https://NAME.atlassian.net/login/forgot