Currently, the App framework that backs Jira and Confluence sends a unique client key and client secret pair to your App upon each installation. Today, we are announcing that we intend to post the same shared secret for every installation of your App; this is part of an initiative to bring Jira and Confluence inline with the new Atlassian platform for developers.
Please read through the announcement blog post for more information.
Please feel free to provide feedback or ask questions here.
Update: if you are interested to verify that your app works correctly please read below.
The sync process is very similar to an install-uninstall-install sequence that causes Connect to generate a new shared secret and sign it with the old shared secret for the second ‘installed’ lifecycle callback. By ignoring the uninstall event an app developer can simulate the shared secret sync operation that will happen during migration. Here is what you can do to verify your app will behave properly during migration:
- Disable the uninstalled callback handler. One way is to modify the descriptor and map the ‘uninstalled’ lifecycle event to a non-existing path.
- Start the app in the dev environment.
- Install the app using its descriptor URL. Your app will receive an ‘installed’ callback.
- Configure the app and make sure it works properly.
- Take a note of the exiting shared secret in the app database.
- Uninstall the app via add-on management. Remember that you are ignoring ‘uninstalled’ callbacks?
- Install the app again using its descriptor URL. Your app will now receive another ‘installed’ callback, providing a new shared secret in a JWT token that is signed with the old one.
- Make sure the app still works properly and the shared secret is changed in its database.
If you had any issues, please feel free to reach us via this thread or by creating a new service desk ticket. We have an internal process to dry run the migration on a test instance.