We know that there has been an enforcement of the deprecation of the use of JWT in query strings recently. This means that products like Jira won’t read any ?jwt=xxx addons will be sent to its servers. This said we can see that Jira itself keeps sending JWT as part of the query string to addons. Considering that this is not a good practice, is there something that can be done in an app descriptor to avoid the use of JWTs? If not is the removal of it planned for somewhere soon?
You cannot change it and given that these requests are made by the iFrame, I’d say there is no technical alternative.
That being said, the tokens send by Atlassian are different than the ones they accept. The ones sent by Atlassian have an qsh claim that limits the scope of the token. So there might be different security considerations