App context security and tenant isolation guidance

sopel · April 19, 2021, 11:00am

Thanks for the recent docs update regarding App context security and the resp. shared responsibility model contract.

I’m surprised about the missing security guarantees for cloudId though, which seems to subvert tenant isolation at the site level when integrating external resources - here’s an example payload from useProductContext():

{
  "accountId": "9f80f11f-...",
  "cloudId": "0c3130ff-...",
  "contentId": "703102977",
  "localId": "625d12a6-...",
  "spaceKey": "DEV",
  "installContext": "ari:cloud:confluence::site/0c3130ff-..."
}

Could you please clarify why cloudId is not “guaranteed to be secure” as well, and provide guidance how to implement tenant isolation per installation context without it?

Many thanks,
Steffen

sopel · April 19, 2021, 12:28pm

Case in point, I’ve just followed up on How to retrieve the actual Jira instance I am in? - #11 by sopel with another option based on the GraphQL Gateway’s tenantContexts query, which incidentally treats the cloudId as, well, the tenant context, suggesting it to be “guaranteed to be secure” for tenant isolation?

kchan · May 18, 2021, 12:01am

Hi @sopel,

Sorry for the delayed reply. While cloudId is currently not considered secure and unable to be tampered with, we do consider the installContext property to be secure. The installContext is an identifier which includes the installed product and cloudId within it.

I will update the document with this information and also look into exposing the cloudId or installContext securely in Custom UI as well.