Check out our updates for custom authentication plugins.
What needs to be done?
When implementing custom authentication for Jira Data Center, make sure that the
BeforeUserAuthenticate event is published before every login attempt.
This ensures that all the operations required before a login attempt are performed.
The event should be published before each User Directory is searched for a user with a given username.
Why is it changing?
This event ensures that all the operations required before a login attempt are performed, and fixes the issue causing login failures due to corrupted cache:
JRASERVER-74215 - Instances using custom authentication plugins might fail to log in users due to corrupt cache SHORT TERM BACKLOG
A checkpoint in authentication is required to perform all operations necessary at the moment or in the future.
Authentication might fail when the
BeforeUserAuthenticate event isn’t published.
BeforeUserAuthenticate event only refreshes the user cache. But in the future, the event may trigger other operations. Stay tuned!
By when do I need to do it?
As soon as you can implement this change on your instance.
Hi @AnnaScisowska ,
I have some questions regarding the event.
According to the JavaDoc, the event should be published right before authentication, while according to your post just before searching through directories. What is the right approach?
Additionally, in our app, there are cases for which we search via email or other attributes, but not username. Thus, the username is not given before searching through the directories and I cannot publish the event since it relies on the username.
If we should publish the event before user search, how should we handle these cases?
Hi @chrschommer ,
Thank you for your questions!
In general, the event should be published as soon as the Jira username of the user is known.
The case you’ve mentioned is very interesting. Could you please describe the flow in more detail? Is Jira username not known at any point during this process?
Hi @KrzysztofKrysiak ,
thanks for your reply. Let me describe our auth process first:
During a SAML authentication, we get all the attributes sent by the identity provider. Then we search for the user based on a so-called user configurable “look-up attribute”, this can be anything: the username, email address, or any other (also created custom) crowd attribute.
Basically, we iterate over all directories and then search for the user depending on the look-up attribute.
Thus in the best case, we know the username before iterating over all directories (lookup attribute = username), and in the worst case, we will know the username after we found the user (or we will never know the username because the user does not exist).
Thus, if I get you right, it depends a bit on when we have to publish the event:
- If the username is known before searching for the user, we can already publish it before we iterate over the directories
- In case we don’t know the username yet, we first have to search for the user and publish the event as soon as we know the username.
Do I get this right?