Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-77689

As a Jira administrator I would like to disallow access to the UI from a browser when the authentication method is a personal access token

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Unresolved
    • None
    • Personal Access Tokens
    • None
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Problem Definition

      Personal Access Tokens (PAT) are available on Jira since version 8.14.0.
      As part of the implementation from JRASERVER-72019, authentication with a PAT is allowed on any endpoint, not being restricted for /rest.

      As a consequence of this change, users can add the token as part of the request headers from the browser and authenticate to the product UI.

      Suggested Solution

      As a Jira administrator, it would be great having an option to disallow users accessing the UI from a browser when the authentication method is a personal access token.
      It could be either an option on the UI or a system property to configure it.

      Workaround

      Use the load balancer or the reverse proxy to limit access to the UI when Authorization: Bearer request header is used.

      Administrators may want to consider an API token solution from the Atlassian Marketplace: https://marketplace.atlassian.com/search?hosting=dataCenter&product=jira&query=api%20token

      Attachments

        Activity

          People

            Unassigned Unassigned
            tmasutti Thiago Masutti
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: