Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
7
-
Description
Problem Definition
External applications integrated to Jira through Application Links can make calls on-behalf of users when authorized to, making use of OAuth tokens.
The access token persists for 5 years, unless it is revoked.
Revoking an OAuth access token is an action that can be performed solely by the user who owns this token, which is described in Allowing OAuth access.
When an user is inactivated (disabled), their OAuth tokens aren't revoked by default.
Although requests made with this token won't get through the application permissions (authorization validation), it would be good to have them deleted.
Suggested Solution
When users are disabled, revoke/delete all of their OAuth access tokens.
Workaround
- Identify the OAuth tokens associated to inactive users.
select au.lower_user_name, ot.token from oauthsptoken ot join app_user au on au.user_key=ot.username join cwd_user cu on cu.id=au.id where cu.active = 0 and ot.token_type='ACCESS' ;
- Delete OAuth tokens associated to inactive users.
DELETE FROM oauthsptoken WHERE ID IN ( select ot.id from oauthsptoken ot join app_user au on au.user_key=ot.username join cwd_user cu on cu.id=au.id where cu.active = 0 and ot.token_type='ACCESS' );
Attachments
Issue Links
- is related to
-
JRASERVER-73857 As a Jira Administrator I'd like to have support for rotation of internal application credentials
- Gathering Interest
-
OAUTH-357 Loading...