Get product advice from experts

Ask a question →

Join a community group

Find a group →

Advance your career with learning paths

Take a free class →

Earn badges and rewards

Connect and share ideas at events

See the calendar →

Community
Products
Jira Software
Questions
Sensitive data stored in the DB

Sensitive data stored in the DB

Hey, recently we have experienced a small issue which triggered a discussion about the kind of data stored in a JIRA Database. Since then I have performed a small investigation and this is what I found:

1) Application Links using OAuth authentication - I have noticed that JIRA stores OAuth tokens for each user that used an Application Link. What is the expiration time of these tokens? Can I revoke them somehow?

2) Remember My Login tokens - is it safe to simply clear them all? What are the side-effects of such operation? Can they be abused somehow?

Is there anything else that JIRA stores in the DB that might be abused in some way?

1 answer

0 votes

@K M Welcome to community.

1) The tokens expire as specified in the "oauth_expires_in" parameter when you get the access token. For example, on a default configured JIRA instance on Atlassian's server is 157680000 (which is 5 years)

2) Yes you can clear them. When they are cleared individuals will have to login to the application again from the browser where the token was stored. If the individual does not lock their computer someone could potentially access Jira without logging in.

None of the information in the DB is encrypted so if a hacker compromised your DB server they would be able to access the data. If you have concerns about this you might look at this app. https://marketplace.atlassian.com/apps/1215791/encryption-for-jira?hosting=server&tab=overview

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hey! thanks a lot for the answer. I have one question though with regards to the first point. How to revoke the oauth tokens? Can I simply remove the rows from the table? Will the users be affected in some way by such operation?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

If you no longer need that oAuth token you can just revoke access.

https://confluence.atlassian.com/jirasoftwareserver/allowing-oauth-access-939938965.html

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Will they be automatically regenerated for the users who use Application Links?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Revoking the token I believe removes the link as well. Thus you would have to set it up again.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

Suggest an answer

Log in or Sign up to answer

Was this helpful?

Thanks!

DEPLOYMENT TYPE

SERVER

TAGS

Community showcase