Deprecation of obsolete Jira Cloud download attachment and thumbnail URLs

Tara · November 4, 2022, 3:48am

What is changing?
We have just deprecated a number of obsolete download attachment and thumbnail APIs. The following APIs will be removed and replaced in Jira Cloud:

/secure/attachment/{attachmentId}/{attachmentName}
/servicedesk/customershim/secure/attachment/{attachmentId}/{attachmentName}
/secure/thumbnail/{thumbnailId}/{thumbnailName}
/servicedesk/customershim/secure/thumbnail/{thumbnailId}/{thumbnailName}

What do I need to do?
Developers are encouraged to migrate to their replacements as the APIs will be removed in 3 months:

/rest/api/{v:2|3|latest}/attachment/content/{attachmentId}
/rest/servicedeskapi/request/{issueIdOrKey}/attachment/{attachmentId}
/rest/api/{v:2|3|latest}/attachment/thumbnail/{thumbnailId}
/rest/servicedeskapi/request/{issueIdOrKey}/attachment/{thumbnailId}/thumbnail

By when do I need to do it?
The new APIs are now available in all Jira Cloud instances.

The deadline is 04 February 2023. At any point after that, the old endpoints may be removed.

matthias · November 4, 2022, 7:02am

Hey @Tara,

thank you for the notification. May I ask what’s the reason to deprecate this already after 3 months instead of the usual 6 months as stated in your deprecation policy?

Cheers,
Matthias.

Tara · November 4, 2022, 1:00pm

Hi @matthias ,
We’ve chosen to deprecate this in 3 months rather than our usual 6 months as OAuth scopes are not correctly enforced on these APIs and the use of user-generated content within the URI as part of the attachment name leaves a larger surface area for exploitable vulnerabilities. To ensure we close security gaps within an acceptable timeframe, we’ve chosen to shorten the deprecation period.
These APIs also do not come under the standard deprecation policy as they are not officially supported as part of our public REST API documentation
However, we understand the deprecated APIs have existed for a long time so we would like to give consumers ample time to migrate to the new endpoints. If for any reason there are unexpected issues with migration, we are happy to revisit the 3-month deprecation period.

Regards,
Tara.

system · December 4, 2022, 1:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.