Update Jira connect implementation to support asymmetric JWTs
I got this email from Atlassian:
This notice is to remind you of the recent announcement that requires your attention. There is no additional action required if you have already updated your apps to comply with our change to the install/uninstall lifecycle authentication.
Atlassian is making a breaking change to Atlassian Connect app install and uninstall lifecycle events in Jira and Confluence Cloud to improve the security of the Connect framework. In the install and uninstall callback requests sent by Atlassian to your app, the Authorization JWT token will be signed asymmetrically so that apps can verify that the request is genuine. Atlassian is planning to enforce asymmetric JWTs to all apps' install/uninstall lifecycle events by Oct 29, 2021.
Please review your apps and apply the required mitigations.
Is my app impacted?
- If your app uses an authentication descriptor setting other than none, then your app is impacted and will need to be updated.
- This vulnerability affects apps regardless of how they are installed; apps listed on the Marketplace and apps installed via the UPM "dev mode" are affected.
- Apps running on Bitbucket Connect are not affected.
Action Required
- As soon as possible, follow the instructions to ensure your app has opted-in to signed install and is compliant with these changes, whether you are running an Atlassian-supported Connect framework or a custom implementation.
- If you are no longer supporting an app that is impacted, we recommend that you contact Marketplace Support to have your app un-installed from all sites and de-listed from the Marketplace.
For more information on the timeline of the breaking change and for additional questions, please see review the announcement on the Developer Community.