Connect for Jira and Confluence apps can be invoked in a few ways; directly as a module from Atlassian products, via a web trigger, or the app frontend invoking backend app endpoints. As documented in the Security for Connect apps guide, each request must be authenticated to determine it was genuinely sent by the Atlassian product, and then the request must be authorized to determine if the user has permissions to perform the action.
Through analysis of many Marketplace apps we found apps would leverage the permission model defined by Atlassian products to determine what actions within the app could be taken by the user. For example, only Jira or Confluence admins would have the ability to manage settings the app offers. To determine whether or not a request should be permitted, the app needs to somehow determine if the current user has administrator permissions. We also found it wasn’t always clear when apps should be performing explicit authorization checks versus relying on solely on Connect module conditions or
After analysing the security findings from app reviews and the Marketplace Security Bug Bounty Program, we observed that authorization issues in apps would often lead to users getting permissions they shouldn’t have, or accessing content or issues they don’t have permissions to see.
To make authorization for Connect apps easier, we have:
Reduced the scopes Connect apps require to query for Confluence content or Jira permissions, so only the
READscope is required rather than
ADMIN. This helps ensure apps aren’t requesting more scopes than necessary.
Introduced a basic authorization middleware into Atlassian Connect Express 7.1.5 to make authorization of app frontend to backend interactions via context JWTs easier.
Developed a guide to help Connect developers understand when authorization checks are required, and the two ways authorization can be enforced.
Please familiarise yourself with the Connect app authorization guide and apply the advice to your apps. If you have any questions or feedback, please reply to this thread or reach out to us on the Developer Support Service Desk.
Security Engineer, Ecosystem Security