Disabling Basic Authentication in Jira Server and Data Center

#1

From Jira/JSM 8.16 onwards we are providing the ability to disable basic authentication as a means of authenticating when requesting access to API resources.

Basic authentication is not a secure means of authentication. Our SSO implementation currently allows users to authenticate using basic authentication. However, this new configuration will allow administrators to disable such access.

Moving forward it is recommended that all pre-existing integrations that use basic authentication should be updated to use personal access tokens (PATs) instead (see using personal access tokens).

However, we are aware that it may not always be possible to update an existing integration to use PATs. To accommodate this you can add the integration to an allowlist which will permit it to continue using basic authentication.

If you have any feedback regarding this change, please feel free to reach out.

Yours,

The Jira Server Team

2 Likes
#2

Is there a way to obtain a Personal Access Token automated?

We are developing an app with some REST API endpoints. We test the Endpoints with automated tests during CI with basic Auth.
The test instances are created and destroyed during the CI run.
Is there any way to automate that?

thanks :slight_smile:

Is there documentation on the “allowlist” available yet? How will this work? Will you be able to add urls with wildcard to it like “allow /rest/myplugin/foo/*”?

2 Likes
#4

Hello @clouless :wave:

Yes, it’s possible to generate a Personal Access Token using REST API. You can send POST HTTP request to {{baseUrlOfYourInstance}}/rest/pat/latest/tokens with the following body:

{
    "name": "tokenName",
    "expirationDuration": 90
}

Response contains generated token (rawToken parameter).
You can authorize your request by using either basic authentication (header Authorization: Basic XYZ) or previously generated token (header Authorization: Bearer XYZ).
It’s not documented anywhere so I’ll pass this request to the team responsible for our public documentation.

Documentation of the “Blocking basic authentication” feature is not public yet, but allowlist will work exactly as you mentioned – wildcards will be acceptable.

Cheers!

1 Like
#5

both sounds very very nice, awesome! Thanks a lot for the detailed explanation :tada: :muscle: :slight_smile:

1 Like