Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
0 / 0 points
Next:
badges earned

Your Points Tracker
Challenges
Leaderboard
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Recognition
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Kudos
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Sensitive data stored in the DB Edited

Hey, recently we have experienced a small issue which triggered a discussion about the kind of data stored in a JIRA Database. Since then I have performed a small investigation and this is what I found:

1) Application Links using OAuth authentication - I have noticed that JIRA stores OAuth tokens for each user that used an Application Link. What is the expiration time of these tokens? Can I revoke them somehow?

2) Remember My Login tokens - is it safe to simply clear them all? What are the side-effects of such operation? Can they be abused somehow?

Is there anything else that JIRA stores in the DB that might be abused in some way?

1 answer

0 votes
Brant Schroeder Community Leader Apr 21, 2021

@K M Welcome to community.

1) The tokens expire as specified in the "oauth_expires_in" parameter when you get the access token. For example, on a default configured JIRA instance on Atlassian's server is 157680000 (which is 5 years)

2) Yes you can clear them.  When they are cleared individuals will have to login to the application again from the browser where the token was stored.  If the individual does not lock their computer someone could potentially access Jira without logging in.

None of the information in the DB is encrypted so if a hacker compromised your DB server they would be able to access the data.  If you have concerns about this you might look at this app. https://marketplace.atlassian.com/apps/1215791/encryption-for-jira?hosting=server&tab=overview

Hey! thanks a lot for the answer. I have one question though with regards to the first point. How to revoke the oauth tokens? Can I simply remove the rows from the table? Will the users be affected in some way by such operation?

If you no longer need that oAuth token you can just revoke access.

https://confluence.atlassian.com/jirasoftwareserver/allowing-oauth-access-939938965.html

Will they be automatically regenerated for the users who use Application Links?

Brant Schroeder Community Leader Apr 23, 2021

Revoking the token I believe removes the link as well.  Thus you would have to set it up again.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
TAGS
Community showcase

The benefits of using Jira in different departments

Jira is a great tool to use across different departments. Forget that paperwork – switch to Jira and get that tasks done smoothly. Marketing Jira allows for a complete digital transformation of you...

90 views 0 5
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you