Hey, recently we have experienced a small issue which triggered a discussion about the kind of data stored in a JIRA Database. Since then I have performed a small investigation and this is what I found:
1) Application Links using OAuth authentication - I have noticed that JIRA stores OAuth tokens for each user that used an Application Link. What is the expiration time of these tokens? Can I revoke them somehow?
2) Remember My Login tokens - is it safe to simply clear them all? What are the side-effects of such operation? Can they be abused somehow?
Is there anything else that JIRA stores in the DB that might be abused in some way?
@K M Welcome to community.
1) The tokens expire as specified in the "oauth_expires_in" parameter when you get the access token. For example, on a default configured JIRA instance on Atlassian's server is 157680000 (which is 5 years)
2) Yes you can clear them. When they are cleared individuals will have to login to the application again from the browser where the token was stored. If the individual does not lock their computer someone could potentially access Jira without logging in.
None of the information in the DB is encrypted so if a hacker compromised your DB server they would be able to access the data. If you have concerns about this you might look at this app. https://marketplace.atlassian.com/apps/1215791/encryption-for-jira?hosting=server&tab=overview
Hey! thanks a lot for the answer. I have one question though with regards to the first point. How to revoke the oauth tokens? Can I simply remove the rows from the table? Will the users be affected in some way by such operation?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If you no longer need that oAuth token you can just revoke access.
https://confluence.atlassian.com/jirasoftwareserver/allowing-oauth-access-939938965.html
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Revoking the token I believe removes the link as well. Thus you would have to set it up again.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.