Open issues

OAuth consumer keys are not unique, causing hosts to trample each other's data in Connect add-ons.
AC-811
Outgoing requests to add-on servers with virtual SSL hosting (SNI) fail
AC-1519
HTTPS issues for add-ons deployed on RedHat OpenShift
AC-1424
Add-on users consume licenses on some instances
AC-1025
POST https://auth.atlassian.io/oauth2/token yields "400 Bad Request" because of an internal 503 Service Unavailable
AC-2502
Connect users remain active when the add-on is uninstalled
AC-2499
API for tenant lifecycle status
AC-2490
Atlassian Connect Conditions return wrong results when user groups contain uppercase letters
AC-2469
Add developer documentation about account ID to installation callback query parameters
AC-2463
Remove undocumented legacy iframe URL query parameters
AC-2457
Return error information if an add-on tries to do user impersonation of an add-on user
AC-2446
User_is_logged_in condition state is not immediately updated after user is disabled
AC-2445
Display results of validation against stricter version of descriptor schema to add-on developers
AC-2386
Remove publicKey from Authentication bean
AC-2384
Validate web fragment locations against a whitelist
AC-2383
Perform strict schema validation
AC-2381
Include conditions and their parameters in the JSON schema
AC-2368
Display metric alarms to JIRA and Confluence add-on developers
AC-2367
Add "I'm a developer" to the JIRA and Confluence onboarding flows
AC-2340
Calls to /rest/atlassian-connect/1/addons/{addonKey} do not return host.contacts.*
AC-2322
Error provisioning add-on user due to missing default group for some applications
AC-2320
Need condition that compares an entity property with another entity propery
AC-2310
Opt-in concurrency support for hosted properties
AC-2279
New tenant clientkeys
AC-2277
Add rate-limiting for requests from add-ons
AC-2261
Improve communication around service desk agents in cloud dev instances
AC-2256
Atlassian Connect add-on integrations with JIRA and Confluence mobile
AC-2225
Send "state-token" back to add-on to identify organization from multi-tenant SaaS application on install/REST requests
AC-2199
User impersonation does not to work when attaching a file to a JIRA issue
AC-2186
can_use_application for cross application conditions
AC-2162
Navigation menu will not expand when being placed under More section
AC-2154
The postInstallPage and configurePage should be web items instead of general pages.
AC-2103
Addon vendors need a way to flag users to contact them
AC-2073
Support routing of failed delivery webhook traffic to an endpoint that isn't the addons primary endpoint
AC-2068
User Impersonation - Add impersonator to webhook events
AC-2054
Can Atlassian Connect generate a token that I can use to securely talk to another add-on?
AC-2031
Improve cloud dev on-boarding process for Confluence developers
AC-1939
Trigger download of add-on descriptor from remote host via REST API
AC-1913
Support JWT in URL fragment
AC-1912
As Connect add-on developer, I want certain content/entity properties pre-fetched into my module call, to improve user experience
AC-1900
Allow for add-ons to register webhooks dynamically
AC-1871
Create an access log of all of the requests that an add-on makes to the host product
AC-1858
Solve the "locations" problem in JIRA and Confluence once and for all
AC-1856
Allow the ability to migrate the baseUrl for an Atlassian Connect add-on.
AC-1855
Write the documentation for the entity properties contains condition
AC-1851
Create P2 condition for Confluence called entity_property_contains
AC-1850
Create the entity_property_contains condition for add-on conditions
AC-1849
Create P2 condition for JIRA called entity_property_contains
AC-1848
Condition that compares a user property with a global property
AC-1846
Ability to handle webooks with statically provided code
AC-1839
issue 1 of 129

OAuth consumer keys are not unique, causing hosts to trample each other's data in Connect add-ons.

Description

Multiple OnDemand instances may share the same consumer key. This results in problems wherever add-on code assumes the consumer keys uniquely identify a tenant. One example is at registration time in ac-play, the consequence of which is that a tenant can effectively unregister another tenant (the code looks up the row by consumer key and, if it exists, updates the baseurl and public key, overwriting any existing data).

This has happened to at least 2 instances so far in Who's Looking. For example, here is a database row from table ac_host from a backup taken a few days ago:

1 2 id | key | baseurl 81 | jira:6403609 | https://ecosystem.atlassian.net

And here is that same row today:

1 2 id | key | baseurl 81 | jira:6403609 | https://bidclerk.jira.com

Some hosts seem to use their domain name as their consumer key, which mitigates the problem. I don't know why some hosts use jira:xyz and others use their domain name.

Environment

None

Testing Notes

None

Status

Assignee

Peter Brownlow

Reporter

Robin Fernandes

Labels

None

Add-on Type

None

Team

None

CC

None

Risk factor

None

QA Kickoff Status

None

QA Demo Status

None

Story Points

5

Sprint

None

Priority

Blocker