Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-70468

As a Jira Administrator I want to configure user accounts for integration jobs with low login overhead



    • UIS:
    • Feedback Policy:
      We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.


      Problem Definition

      Basic authentication for REST API call has a performance overhead. There are a couple of things which contribute to that:

      • Authentication itself, also a possible roundtrip to LDAP/AD/Crowd server
      • Updating (refreshing) user attributes from LDAP
      • Updating login attempt data recordLoginAttempt
      • Updating UserAttrubutes with updateLastLoginTime
      • EventPublishing Security event

      Suggested Solution

      Add option to configure automation (service) user account which has fewer actions during login (auth):

      • Doesn't update Login counter for every successful login (possibly every X requests)
      • Doesn't update LastLoginTime for every login
      • Doesn't update user attributes from LDAP for every login (example updateUserFromRemoteDirectory method)

      Possible solution:
      OAuth 2.0 authorization via tokenization should allow for users to self generate a token in order to provide a secure and easy way to integrate their apps at a project level. Tokens should be associated with the corresponding user account limiting permission to the platform based upon the user's access.


      Make sure that service account doesn't have Jira Admin privileges. In addition to having a security risk, it also has an extra performance overhead due to processing removeDismissFlagForUser.


      Try to avoid Basic authentication for each REST API call, instead try to use cookie-based authentication

      This is how cookie-based authentication works in Jira at a high level:

      • The client creates a new session for the user via the Jira REST API.
      • Jira returns a session object that has information about the session including the session cookie. The client stores this session object.
      • The client can now set the cookie in the header for all subsequent requests to the Jira REST API.

      More details: https://developer.atlassian.com/server/jira/platform/cookie-based-authentication/


          Issue Links



              Unassigned Unassigned
              ayakovlev@atlassian.com Andriy Yakovlev [Atlassian]
              22 Vote for this issue
              23 Start watching this issue