We are experiencing an issue with JWT authentication in our Atlassian Connect addon where users are getting authenticated with the wrong account ID after logging out and logging back in with a different user.
Environment:
-
Atlassian Connect Express version: 11.6.0
-
Node.js version: 22.13.0
-
Browser: Chrome 141.0.7390.66
Technical Setup:
-
Using Atlassian Connect Express with JWT authentication
-
WebItem configured in atlassian-connect to redirect to /jwt-login
Authentication Flow:
-
User hits /login-url in our app → redirected to Atlassian login
-
After login → Atlassian redirects to /jwt-login
-
ACE addon.authenticate() validates token and sets req.context.userAccountId from JWT sub claim
-
Session is populated with user data
Problem:
-
User A logs in successfully → gets correct JWT with sub: userA-account-id
-
User A logs out → session destroyed
-
User B logs in → gets JWT with sub: userA-account-id instead of sub: userB-account-id
-
User B is authenticated as User A → wrong access/permissions
Expected Behaviour:
Each login should generate a fresh JWT with the correct sub claim for the currently logged-in user.
Questions:
-
Is there any JWT caching happening on Atlassian’s side that could cause this?
-
Should we be handling logout differently to ensure JWT tokens are invalidated?
-
Are there any known issues with user switching in Atlassian Connect authentication?
Additional Context:
This happens consistently when switching between users, suggesting it’s not a random caching issue but a systematic problem with how JWT tokens are being generated or cached.