Different shared secrets from the installation hook


We have a publicly listed Atlassian Marketplace app/plugin built with https://bitbucket.org/atlassian/atlassian-connect-express/src/master/. Today where we were looking at the database and the application logs we discovered something really strange.

We have 13 apps installation and 12 of the have the same sharedSecret and one of them have a different one stored.

This is surprising because the documentation says that all the tenants share the same secret.

What is even more strange, the next installation (after the one that has a different shared secret) received the same secret as the preceding installations.

So we have:

  1. sharedSecret: "ABC"
  2. sharedSecret: "ABC"
  3. sharedSecret: "EFD"
  4. sharedSecret: "ABC"

This is an extract from the application DB (AddonSettings table):

What we also observed is that installation 10 and 11 was created the same day with a very similar baseUrl: https://xy-example1.atlassian.net and https://xy-example2.atlassian.net.

(btw. may not be related, but worth noting another anomaly: in the installation 12 the baseUrl was https://mazik.personal.atlassian.net while in the description we can see Atlassian JIRA at https://team-43534534587.atlassian.net)

BTW. It would be great to get some information on when the sharedSecret can change. F.e. Can it change during the app update or is it safe to assume that it will never change since the installation?

Hi @AdamMazur,

This is all working as expected. Atlassian recently announced that they’re making this change: Connect is returning to per-installation secrets.


1 Like

WOW @SvenSchatter

Thanks for a quick answer. Your really saved us a lot of time. This is really surprising.
Do you know if the shared secret can be changed on the app update?

Best wishes

Fun fact: it’s actually a reversal of a change they made previously. When connect started, they already had per single tenant shared secrets. So most vendors have an infrastructure that accounts for different shared secrets. Afterwards they started to implement single shared secret, stopped half way, and reversed it last month. Either way, you should create your architecture around tenants and assume information is specific per tenant.

1 Like