As a Jira administrator I would like to disallow access to the UI from a browser when the authentication method is a personal access token

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Unresolved
    • None
    • Component/s: Personal Access Tokens
    • None
    • 3

      Problem Definition

      Personal Access Tokens (PAT) are available on Jira since version 8.14.0.
      As part of the implementation from JRASERVER-72019, authentication with a PAT is allowed on any endpoint, not being restricted for /rest.

      As a consequence of this change, users can add the token as part of the request headers from the browser and authenticate to the product UI.

      Suggested Solution

      As a Jira administrator, it would be great having an option to disallow users accessing the UI from a browser when the authentication method is a personal access token.
      It could be either an option on the UI or a system property to configure it.

      Workaround

      Use the load balancer or the reverse proxy to limit access to the UI when Authorization: Bearer request header is used.

      Administrators may want to consider an API token solution from the Atlassian Marketplace: https://marketplace.atlassian.com/search?hosting=dataCenter&product=jira&query=api%20token

            Assignee:
            Unassigned
            Reporter:
            Thiago Masutti (Inactive)
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: