Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
Description
Problem Definition
Personal Access Tokens (PAT) are available on Jira since version 8.14.0.
As part of the implementation from JRASERVER-72019, authentication with a PAT is allowed on any endpoint, not being restricted for /rest.
As a consequence of this change, users can add the token as part of the request headers from the browser and authenticate to the product UI.
Suggested Solution
As a Jira administrator, it would be great having an option to disallow users accessing the UI from a browser when the authentication method is a personal access token.
It could be either an option on the UI or a system property to configure it.
Workaround
Use the load balancer or the reverse proxy to limit access to the UI when Authorization: Bearer request header is used.
Administrators may want to consider an API token solution from the Atlassian Marketplace: https://marketplace.atlassian.com/search?hosting=dataCenter&product=jira&query=api%20token