Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
8.14.0, 8.20.0, 9.0.0, 9.4.0, 9.12.0, 9.14.0
-
None
-
8.14
-
1
-
Severity 3 - Minor
-
Description
Issue Summary
When users authenticate on Jira, this information should be added as new events on the audit log when full coverage is enabled for the Security category.
Requests made with personal access tokens (PAT) for REST API won't create a new entry on the audit log.
Steps to Reproduce
- Install a vanilla instance of Jira Software Data Center.
- This was validated on Jira 9.14.0 but dates back from initial PAT implementation on Jira 8.14.0.
- Enable full coverage for the Security category on the Audit logs.
- Run a sample REST API call using basic authentication.
curl -v \ -u user001:user001 \ 'Jira-Base-URL/rest/api/latest/myself'
- Search for new events on the Audit Log and notice the User login successful event.
- Run the same REST API call using a personal access token (PAT).
curl -v \ -H 'Authorization: Bearer user001-token' \ 'Jira-Base-URL/rest/api/latest/myself'
- Search for new events on the Audit Log
Expected Results
A new User login successful event is logged as part of the REST API request.
Actual Results
No new event is added.
It seems the personal access token code isn't firing a user login event.
This makes auditing inconsistent when personal access tokens (PAT) are used.
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available.