Application links with impersonation does not work properly after upgrading to Jira 9.9.0

Issue Summary

Application links with impersonation are broken starting on Jira 9.9.0.
This may impact operations performed by end-users on linked Atlassian applications, such as Confluence, Bitbucket and Bamboo.

This does not affect application links without impersonation.

Steps to Reproduce

Scenario 1 - Jira integrates with Confluence

1. Install a vanilla instance of Confluence Data Center.
   • Any Confluence version is fine – this was validated with Confluence DC 7.19.2.
   • Confluence is used just as an example as the impact could be perceived on other linked Atlassian products.
2. Install a vanilla instance of Jira Data Center 9.8.0.
3. Create an application link with impersonation between Jira and Confluence.
4. Make different tests with JIM (Jira Issues Macro) on Confluence.
   • Create a page with an issue, an issue filter, a Jira Chart, etc.
     
5. Upgrade the Jira instance to version 9.9.0.
6. Access the Confluence page with JIM.

Scenario 2 - Jira integrates with Bamboo 9.2.3 or above

See another bug here - BAM-22415

Expected Results

The application link works as expected and the page in Confluence is able to render all Jira Issues Macros.

Actual Results

The application link isn't working and loading the JIM from a Confluence page fails with messages such as below:

• Jira issue doesn't exist or you don't have permission to view it.
• Jira project doesn't exist or you don't have permission to view it.
• The Jira server didn't understand your search query. If you entered JQL, please ensure that it's correctly formed. If you entered an issue key, ensure that it exists and you have permission to view it.

There may not be an error in Jira application logs as Jira is simply denying access through the OAuth connection.

Workaround

The issue is caused by a faulty library shipped with Jira 9.9.0. We can revert it to the same version as on Jira 9.8.0 as follows:
1. Take a backup of the following files in the Jira 9.9.0 installation and remove them from their current directory.

<jira-install>/atlassian-jira/WEB-INF/lib/atlassian-oauth-api-5.0.5.jar
<jira-install>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/atlassian-oauth-admin-plugin-5.0.5.jar
<jira-install>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/atlassian-oauth-service-provider-plugin-5.0.5.jar
<jira-install>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/atlassian-oauth-consumer-spi-5.0.5.jar
<jira-install>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/atlassian-oauth-service-provider-spi-5.0.5.jar
<jira-install>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/atlassian-oauth-consumer-plugin-5.0.5.jar

2. Download the atlassian-oauth-api-5.0.4.jar from the link below:

• atlassian-oauth-api-5.0.4.jar

3. Move it to this path:

<jira-install>/atlassian-jira/WEB-INF/lib/

4. Download the five file files below:

• atlassian-oauth-admin-plugin-5.0.4.jar
• atlassian-oauth-consumer-plugin-5.0.4.jar
• atlassian-oauth-consumer-spi-5.0.4.jar
• atlassian-oauth-service-provider-plugin-5.0.4.jar
• atlassian-oauth-service-provider-spi-5.0.4.jar

5. Move them to this path (note that it's different from the one before):

<jira-install>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/

6. Clear plugins cache as detailed in How to clear Jira's plugin cache.
7. Restart the application.

If running a clustered data center instance, this procedure must be executed on all nodes.

Alternative Workaround

Change the application link to OAuth only (without impersonation) on Jira and on the linked application.
This bypasses the problem, but would now require users to allow access from the linked application.