Basic authentication for REST API call has a performance overhead. There are a couple of things which contribute to that:
- Authentication itself, also a possible roundtrip to LDAP/AD/Crowd server
- Updating (refreshing) user attributes from LDAP
- Updating login attempt data recordLoginAttempt
- Updating UserAttrubutes with updateLastLoginTime
- EventPublishing Security event
Add option to configure automation (service) user account which has fewer actions during login (auth):
- Doesn't update Login counter for every successful login (possibly every X requests)
- Doesn't update LastLoginTime for every login
- Doesn't update user attributes from LDAP for every login (example updateUserFromRemoteDirectory method)
OAuth 2.0 authorization via tokenization should allow for users to self generate a token in order to provide a secure and easy way to integrate their apps at a project level. Tokens should be associated with the corresponding user account limiting permission to the platform based upon the user's access.
Make sure that service account doesn't have Jira Admin privileges. In addition to having a security risk, it also has an extra performance overhead due to processing removeDismissFlagForUser.
Try to avoid Basic authentication for each REST API call, instead try to use cookie-based authentication
This is how cookie-based authentication works in Jira at a high level:
- The client creates a new session for the user via the Jira REST API.
- Jira returns a session object that has information about the session including the session cookie. The client stores this session object.
- The client can now set the cookie in the header for all subsequent requests to the Jira REST API.