IP Whitelisting versus server side requests from a Connect app

First of all, lots of :+1: :+1: :+1: for this new feature release in Atlassian Cloud: https://jira.atlassian.com/browse/CLOUD-2636

Question: did anyone test it against their connect apps? Do customers need to whitelist connect app IPs, or this mechanism is dedicated only for user initiated connections?

Thanks!

4 Likes

@Grzegorz.Tanczyk Thanks for bringing this up!

The docs say: " Users also won’t be able to access that product programmatically via the APIs." So from the docs it is not clear if it also applies to Connect apps.

@dmorrow Do you know more about the IP whitelisting feature in relation to Connect apps? The documentation is quiet about this: https://confluence.atlassian.com/cloud/ip-allowlisting-998658750.html

Hi @Grzegorz.Tanczyk and @marc,

My interpretation is that this feature only restricts the connections made by users to the product and as such, I don’t believe there will be any direct impact on apps.

Users also won’t be able to access that product programmatically via the APIs

This statement refers to the use of personal API tokens (https://id.atlassian.com/manage-profile/security/api-tokens).

Regards,
Dugald

5 Likes

Hi @Grzegorz.Tanczyk and @marc,

My name is Rak, and I’m the product manager for IP allowlisting for Jira and Confluence. @dmorrow’s interpretation of the documentation is correct. This feature will only restrict integrations that access products via basic API tokens and connections that are made by users. Connect apps will not be affected or restricted.

Thanks,
Rak Garg
Product Management, Atlassian

3 Likes

@RakGarg Thank you for the clarification.

Hey @RakGarg ! Has something changed with this recently? Has e.g. https://xyz.atlassian.net/wiki/rest/api/settings/systemInfo or https://api.atlassian.com/ex/confluence/xyz/rest/api/space been added to the restriction scope?

Cheers,

-Erkki

Hi @ErkkiLepre,

It doesn’t look like anything changed on these endpoints.
Do you have any more details about the problem? What is calling the endpoint (an app, or are the APIs called directly)?

I’m also curious to know if whitelisting has been enabled recently on the instance or if that’s been on since some time.

Thank you,
Caterina

Hi @ccurti ,

Thanks for the reply.

I’m afraid I don’t have a lot more info. Our backend is making simple calls to those APIs in certain situations. According to the customer, that particular scenario, where the APIs are used, was working earlier, but not anymore. We have not made any changes on our side, so something else has changed. According to the customer, the issue started between 6th and 11th of May. Also - according to the customer - IP whitelisting was enabled and working earlier.

Cheers,

-Erkki

Hi @ErkkiLepre,

The best way to understand if these endpoints are being restricted because of IP whitelisting is by checking the http response.
If the endpoint is blocked, the request will return a 403 status code with a The IP address has been rejected because it is not on the allowedlist. See your admin for more information. message.

Can you check if that’s the case?

1 Like

Hi @ccurti ,

Yes, the error message is The IP address has been rejected because it is not on the allowedlist. See your admin for more information.

Cheers,

-Erkki

In case anybody else is wondering, Atlassian did make a change to their API proxy on May 5th, that affected this.

2 Likes

Hi @ErkkiLepre,

Can you use *.atlassian.net/wiki/rest/api/space instead of api.atlassian.com and let me know if IP allowlisting is still blocking the request? As api.atlassian.com is for only on-premise integrations using OAuth authentication and Connect apps should be using *.atlassian.net.

It is covered in the documentation here: https://developer.atlassian.com/cloud/jira/software/rest/intro/#introduction