Deprecate apps encoding OAuth 2 JWTs with user keys as the sub claim

Description

As part of GDPR compliance, we are changing how apps access users' personal data. This will affect the use of user keys as sub claims in OAuth2 JWTs that apps generate to call product's APIs.
Currently Sub claim field in JWT is user key. Apps need to change this to Atlassian Account ID and Connect needs to modify it's handling so that it allows either.
This work is broken down to too parts:

  1. Support an additional method for identifying users in the sub claim of the JWT assertion created by the app as tracked by

  2. Remove support for OAuth 2 JWTs with user keys as the sub claim after deprecation period as tracked by

Environment

None

Activity

Show:
Asier Enrique
May 25, 2018, 1:39 PM

Hi, Einar.

Many thanks for your kind response, I appreciate it a lot. I am sorry, I hope I did not interrupt your workflow.

Thanks a lot for your explanation about the exact meaning of this deprecation. I will follow the DEVHELP ticket and the related news.

Best regards,

Asier

Einar Pehrson
May 25, 2018, 1:03 PM

Hi, . This issue was not meant to be publicly visible, and I will restrict its visibility. But we will soon share detailed information about this particular deprecation. As to your concern, this deprecation only relates to how an app identifies a user in the JWT assertion when using the OAuth 2.0 JWT Bearer token authorization grant type. The authentication method as such will still be fully supported.

I have moved both and to the DEVHELP service desk where our Developer Support team will follow up on them. Please refer to https://developer.atlassian.com/cloud/confluence/get-help/ as your landing page for getting help with Confluence app development.

Asier Enrique
May 25, 2018, 12:37 PM
Edited

Hello Atlassian Connect Team,

I have noticed this issue and I would like to confirm if this deprecation means that Atlassian Connect add-ons will not be able to act on behalf of users, as announced in this Atlassian Developer blog post and as documented in
this tutorial of Confluence Cloud add-ons.

Actually, I have recently tried to follow the steps of this tutorial without success, and I opened CE-1191.

This question applies also for AC-2410.

Is there any other way to authenticate users in add-ons, as asked in CE-1181?

Thank you very much indeed.

Fixed

Assignee

Shorya Raj

Reporter

Dugald Morrow