I’ve read this many times and it was never clear to me what happens with the shared secret from the install payload. The page doesn’t mention that each install event that’s signed with RS256 provides a new shared secret. Could someone from Atlassian confirm this behaviour? I had already confirmed it with the connect inspector https://connect-inspector.services.atlassian.com/ but I’d like to know if this is intended or a bug in the implementation of this new asymmetrically signed request feature.
The reason I’m asking is that we run a multi-tenanted setup in which caching is done for tenants. As it stands now the caching is preventing us to roll out the feature for all our customers because their requests to Atlassian won’t be valid due to the new secret they get when an automatic installation happens as a result of the descriptor change.
Moreover, if this is the intended behaviour, could you please update the post to mention this breaking change?
Is anyone using similar approach and knows how to fix it?
EDIT: I have hardcoded “baseUrl”: “https://xyz.ngrok.io” to make sure it is not a race condition and it still doesn’t work. When I set “signed-install”: false, everything starts to work again
I have figured it out. Latest addition of allowedBaseUrls basically a little bit broke ACE.
Now, the aud claim is always checked against allowedBaseUrls array, which is constructed as a concatenation of localBaseUrl property from config and allowedBaseUrls property.
This breaks ACE, because now, baseUrl from descriptor is ignored completely, meaning you can’t have static baseUrl
Also descriptor transformer is broken because of that.
May I ask which version of ACE you are using? The issue you mentioned sounds very serious.
We enabled the signed install but did not notice the issue, so I am quite curious.
Hi @dciupureanu
We do not encourage apps to expect a single shared secret, and we have plans for returning back to per-installations based shared secret.
However, this change has not been rolled out to all tenants yet, but is enabled on Ecosystem Beta Group and Early Adopter tenants for testing. Also, this feature is only enabled for the apps with signed-install feature opted-in.
Just to be clear with the existing behaviour on all other production tenants, if you are installing your app manually from developer mode with your descriptor URL, you will always get a new sharedSecret. And if the install was triggered from the marketplace, your app will receive a single shared secret for all tenants.
Additionally, if your app had received a mismatching shared secrets from production environment, this is due a recent Marketplace failure that made connect to safely fallback by sharing a locally generated shared secret. If I remember correctly, there was an incident early this month that may have lead to this fallback mechanism.
Thanks for reporting this.
I’ve just patched a new version 7.4.8. ACE will now include the baseUrl which is modified via descriptorTransformer function, during audience claim check.
we switched our app (based on a homebrewn framework) and everything works fine. We closely monitor the logs and recognized that quite often, we receive install requests for instances at https://free-app-blitz-carbon*.jira-dev.com/wiki that reference a non-existing public key - the key store server returns 404. Is this some kind of planned testing or is something broken somewhere?
Best regards
Steffen
Edit: just asking because this messes with our “Did the change deploy successfully” metrics. If this is an expected behavior, we would ignore those errors for our reporting.
Hi @SteffenMueller jira-dev.com domain is for internal testing environment. I believe some team has automated test running against that instances with your app included. Could you please post your app key so that I can trace down the owner of the instance and check if they can remove your app from testing?
Thank your clarifying this, but unfortunately I still have some questions so let me see if I got it:
If I opt-in I will get a new shared secret with every install in Production i.e. installing via MPAC
If I opt-out I will not get a new shared secret with every install in Production i.e. installing via MPAC
If I opt-out I will get a new shared secret with every install in a non-Production environment i.e. installing the addon manually in developer mode
If I opt-out the behaviour stays the same in Production i.e. installing via MPAC, as it currently is without the flag being set at all
Sorry for this back-n-forth, but I find this thread and the communication about the changes this feature bings in all over the place and, sorry to say, in the typical Atlassian fashion.
Could you please update the documentation in this announcement, in the one about secrets changing and on the developer docs to reflect what each state of this flag means please?
@HanjooSong now that we are approaching the deadline of this change, can you please share with us if you have any analytics regarding how many active Atlassian Marketplace apps are still not compatible and whether Atlassian is considering a minimal threshold required attached to a final GO/NOGO decision on Friday?
Hi @remie
We have actually scheduled another email notification to inform you of our next stage, but looks like it may be sent on 1st of Nov at the earliest.
In short, we have decided to use AMS ticket for all apps that has not opt-in for this new authentication because we are still seeing a high number of apps that did not take any actions. We will not be enforcing any installations to break after the end of this week, but moving forward, the new remediation due date and the enforcement will follow the AMS enforcement policy.
Hi @dciupureanu I understand your pain and I agree with you that including developer documentation in the announcement was not a good idea. (Unfortunately the announcement cannot be updated after 30days)
If I opt-in I will get a new shared secret with every install in Production i.e. installing via MPAC
→ Yes, per-install based shared secret change will be followed within couple of months after you opt-in.
If I opt-out I will not get a new shared secret with every install in Production i.e. installing via MPAC
→ Yes, it will maintain the existing behaviour. But you may still get a different sharedSecret if MPAC service or any other underlying internal Atlassian service experiences issue that relates to the shared secret. Also, when we need to rotate your app’s secret, it will take up to 24 hours for all Jira instances to be updated with the new one.
If I opt-out I will get a new shared secret with every install in a non-Production environment i.e. installing the addon manually in developer mode
→ Yes, regardless of the signed-install feature you will always get a new shared secret for every install when you are using using “developer mode” to install an app. This is an existing behaviour.
We are using AC Spring Boot. We enabled the signed-install feature with the necessary changes and released the new version to the marketplace. We are now getting the following message in the logs. Is it normal for install requests to fall back?
c.s.i.a.a.AsymmetricAuthenticationFilter : Failed to authenticate request, falling back to symmetric JWT auth
