Storing and handling app installation secrets

As part of rolling out Connect’s return to per installation secrets, we’re making a small change to how Connect Jira and Confluence secrets are formatted. Generated secrets will soon (over the next week or so) include an ATCO (“Atlassian Connect”) prefix and checksum to help identify secrets as being per-installation (vs shared). The prefix can help Atlassian improve some security detection use-cases - such as where secrets may be exposed or incorrectly stored.

We’ve updated the Security for Connect apps guidance around how these secrets should be handled and stored. The prefix and checksum we’re adding today will add 12 bytes over the existing Connect installation secret size, but please make sure your app can handle storing secrets of up to 400 bytes. We’re not anticipating this small 12 byte increase to cause any issues with apps, and we’ll post an update when the change is live.

Cheers,
Zac
Security Engineer, Ecosystem Security

4 Likes

@zsims sorry, are you saying once we start to receive the new app installation secrets, we need to extract the sharedSecret from the string passed in the installation webhook?

No, we’re just giving notice that the secret is increasing in length by 12 bytes and the reasons for that increase. There should be no change required for apps at all, you should just treat the secret as an opaque value. No processing is required.

5 Likes