IP allowlist blocks our connect app when using user impersonation

jens · January 17, 2024, 4:36pm

Some of our connect apps are being blocked by the IP allowlist (Premium feature).
Our apps do not have static IP addresses (mostly because it’s ridiculous how expensive that is on AWS).

At first I thought this happens to all Connect apps as soon as IP allowlist entries are configured, but then I saw the last section on the docs page:

We also don’t apply your IP allowlist restrictions to the following:

Application links that use TwoLeggedOAuth

Connect applications

I could trace it down to the following behaviour:

Requests that authenticate ‘as app’ do succeed
Requests that authenticate via user impersonation fail

Could someone from Atlassian please confirm this? I suppose this is a bug.

@dmorrow I’ve seen you involved in other discussions related to this topic, so I’d appreciate your opinion here

Thanks,
Jens

ibuchanan · January 17, 2024, 9:25pm

@jens,

Thanks for opening this topic. I highly doubt only you are affected.

That said, you have clearly identified a reproducible bug. Could you please log it with developer support? This will be the fastest way to make sure the issue gets to the right Atlassian team. Especially because @dmorrow is off enjoying a vacation right now.

jens · January 18, 2024, 12:29pm

Thanks @ibuchanan,

I’ve created ECOHELP-33513 in case anybody needs a reference in the future.

jbevan · January 22, 2024, 8:50am

This affects us and our Forge app too. If there’s a public bug ticket I’d love to vote/comment/watch

ibuchanan · January 22, 2024, 12:16pm

@jbevan,

The support ticket is still being worked and is not yet linked to a public ticket. That said, initial research indicates it might be due to CLOUD-11213: Enable by-pass of IP Allow-lists for Connect apps using api.atlassian.com.

I’m not sure we’re aware of problems with Forge. On that topic, you might have new information for which there should be a new/different bug.