Announcement: Google OAuth for incoming email servers for JSW and JWM

Greetings Jira Software and Jira Work Management admins!

Summary: You can now set up Gmail-based incoming email handlers using the OAuth authentication protocol.

What’s shipped

 Screenshot 2022-12-07 at 8.28.41 AM.png Oauth new.png

In March 2022, Google announced that they would no longer support third-party apps that require users to sign into their Google account using only a username and password beginning May 30, 2022. This change impacted Jira Cloud customers who set up an incoming mail server using a personal Google email account.

In April 2022, we published a Community update that outlined our approach. We’ve been working on building, testing, and deploying OAuth for Gmail-based incoming email servers. As an immediate solution, we recommended that admins switch to app passwords instead of using Google account passwords.

We’re excited to share that starting 19th December 2022, Jira Cloud admins can now set up their Gmail-based incoming email servers using OAuth. OAuth 2.0 is an industry-standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user.

To be on the most up-to-date solution, you can either:

  • Add a Gmail email server with OAuth 2.0 integration: If you are using Gmail to create issues and comments from your email and want to set up a mail server for your incoming emails on Jira, you need to configure OAuth 2.0 for your Gmail email server.

  • Upgrade your mail server from basic authentication to OAuth 2.0: Upgrade your existing mail servers that are using app passwords or basic authentication to OAuth 2.0.

You find detailed instructions for both methods in our documentation.

Questions or Feedback?

If you have any questions or would like to provide us with some feedback, please do comment on this article and we will respond to you as soon as possible.

26 comments

Jim Johnson January 9, 2023

I'm confused, because I don't know whether this applies to me or not. 
The key line seems to be "If you are using Gmail to create issues and comments from your email".

I use Jira Cloud with myself and two contractors.

We receive and respond to emails from Jira tickets.

I don't believe I've ever done anything with Jira that involves setting up a special function with an email server.  

Our login account emails are in my company domain name, not personal Gmail accounts.

Does this apply to me or not?

Like # people like this
Gabriel January 9, 2023

Hi @Jim Johnson

If you are using the Default Cloud Mail Server, then you have nothing to do.

Go to System > Incoming Mail

If it looks like my screenshot, then you have nothing to do.

Screenshot 2023-01-09 at 1.21.47 PM.png

Cheers!

Like # people like this
blastoise186 January 9, 2023

@Jim Johnson from what you describe, probably not an issue.

If people are simply sending support requests in from personal Gmail/Google Accounts either via email or the portal in Jira Service Management, that's not affected at all and the same applies if you use Google to sign into your Atlassian Account.

This is only relevant if you use Basic Authentication aka Less Secure Apps to have Jira Cloud/Server/Data Center send or receive emails through a personal Google Account instead of directly from the built-in methods. In the future, the same rules will apply to Google Workspace user accounts as well.

As long as you don't use any kind of Google Account or Google Workspace account to send the emails out from Jira/Confluence with and/or pull emails into Jira/Confluence, you should be fine. But if you do use such accounts, make sure to use OAuth instead of Basic Auth!

Like # people like this
Jim Johnson January 9, 2023

Thanks for the inputs, clear, understood, I see that I need no action.

Like # people like this
blastoise186 January 9, 2023

No worries.

It's also worth noting that Google terminated LSA support for personal accounts nearly a year ago, so you'd have likely noticed by now if this was affecting you. Any attempts to use it now on a personal Google Account are guaranteed to fail.

Google Workspace is deprecating it more slowly, but I'd still recommend considering Less Secure Apps as no longer existing when it comes to Google Workspace anyway. It's better to get into that mindset now, than ignore it until it's way too late.

The same applies to personal Microsoft Accounts and business based Microsoft 365 - Basic Authentication is being terminated. Any tenant that doesn't use it all will have it terminated first because there'd be basically no ill effects - if you're not using it anyway, you probably won't mind losing it. Those who use it will get a bit more time but will be forced to move on eventually.

Like Ricardo Rodrigues likes this
Michael Hess January 9, 2023

I have Default CloudMail Server setup under System Incoming, but I do use Gmail Workspace accounts under projects, then Email, Connected email accounts. Do I need to disco and redo those? I honestly don't remember if they used app passwords or normal oauth flow.

In Atlassian Admin I also have email address setup under Settings Emails. Any action needed there?

blastoise186 January 9, 2023

You should be fine as well @Michael Hess but it depends.

By default, Google Workspace disallows LSA domainwide unless an admin changes that setting. I just looked myself and the only way to currently link a Google hosted email account to Jira is via OAuth. But I'd recommend checking your settings again anyway.

I can't access your site (I'm not allowed to!) but if you're unsure, Atlassian Support can help.

Like Michael Hess likes this
Santosh Jallapuram January 9, 2023

Does this apply only for personal gmail accounts or GSuite(Google WorkSpace) accounts as well ?

blastoise186 January 10, 2023

For now @Santosh Jallapuram only personal accounts. However, Google Workspace is also making the change as well so you should assume that the old methods are going away regardless of account type.

The Google Workspace Blog will announce when LSA support will be dropped for work accounts

Like Tushita Sarkar Biswas likes this
Mary Vermishyan January 11, 2023

What to do if we are using a POP mail server? and DMARC incoming email authentication?

blastoise186 January 11, 2023

Hey @Mary Vermishyan ,

If that POP Mail Server runs on anything Google or Microsoft hosted, you will likely be affected by this sooner or later. If it doesn't (or you use MS Exchange On-Premises) you won't be affected right now.

Arevik Hakobyan January 12, 2023

Hi, I have "Default Cloud Mail Server" under "Incoming Mail Server" for Jira Cloud Premium that we use.

And our company team members use Google to login to Atlassian with our company mails.

We have only few customers who are given access to our Confluence with their personal mails.

Will this affect our company team or our customers using thei personal mails?

Please advise

 

Thanks

Screen Shot 2023-01-12 at 4.10.29 PM.png

Jousef January 13, 2023

Hey there,

Just to clarify this, if you're having mail servers configured in Jira DC/Server that are using basic authentication, you need to set up new ones using OAuth 2.0, correct?

OAuth 2.0 is only available from Jira DC/Server version 9.0, is that also correct?

We're on v8.20 and don't have the option to add any OAuth 2.0 integrations. So I'm a bit confused what to do in this case. I guess I first need to upgrade to 9.0 to make use of the integrations and only then be able to change the mail servers to use OAuth 2.0.

Best,
Jousef

blastoise186 January 13, 2023

Hiya!

@Arevik Hakobyan looks good to me based on your screenshot and description. The Login With Google stuff is fully supported because it uses either OAuth2 or SSO anyway and is completely unaffected. Likewise, if you're using the default cloud mail server that Atlassian manages on your behalf, that's totally fine too. Atlassian will make changes to that one on your behalf if it is ever needed.

Anyone who logs into Confluence with personal emails attached to their Atlassian Accounts (including via Atlassian Access, and also Atlassian Crowd for on-prem/self-hosted sites) is likewise fine - Atlassian figures that out so you don't have to.

In your case, I'd say you're totally cool as-is.

@Jousef I'm only a Cloud user myself but I'd argue you'll probably want to upgrade those instances anyway to ensure you're getting security fixes as well as the ability to set up OAuth. I'd upgrade to the latest release first (you may need to do this in several smaller stages) and once you hit the first release that supports OAuth, set that up before doing further upgrades or updates.

Like Jousef likes this
Arevik Hakobyan January 13, 2023

thanks @blastoise186 

blastoise186 January 13, 2023

You're welcome. :)

Ironic as it may sound, I'm actually only in my first week on this community, so I'm currently focusing just on this thread while I learn the ropes. But I've got a lot of experience elsewhere to use.

My own cloud instance is also my personal one with just me on it. I'm willing to experiment with it because I know I won't mess up anything important!

Like Arevik Hakobyan likes this
Arevik Hakobyan January 13, 2023

well, that's an advantage  to be able to experiment without killing anything. Thanks any case, and awesome work for being here only for 1 week

Like blastoise186 likes this
blastoise186 January 13, 2023

It's not cheap though! :)

I went for Confluence and Jira Premium so it costs me about £30 a month just for me. But it's worth it if I get to help out here and have at least the same features that pretty much anyone else coming here has.

ceciliap January 16, 2023

Im confused! In our company we use Jira Cloud, we didin´t set up an incoming mail server using a personal Google email account, but we use Google accounts (we use G-Suite) for the autentication of our agents. So, i want to know if this future change will affect us or no? Thanks

Like blastoise186 likes this
blastoise186 January 16, 2023

Hey @ceciliap ,

Does your Incoming Mail setup look like this with just the Default Cloud Mail Server and nothing else?

Screenshot 2023-01-16 174320.png

If so, you're good to go. Even if you use Google Workspace to login, that's a separate thing and these changes won't affect you at all. :)

Noeli Fusco January 16, 2023

Hi @blastoise186 

Im Noelí, i work with @ceciliap . We don't even have the Default Cloud Mail Server configured, we dont have any incoming mail server configured.  :) So i think we still not affected then rigth?

Like blastoise186 likes this
blastoise186 January 16, 2023

You've actually answered your own question! :D

If you don't have any mail server set up, you won't be affected other than the fact you shouldn't really delete the default one. :P

Contact Atlassian if you need the default one recreated as they can fix that.

Like Gabriel likes this
Gabriel January 16, 2023

This ^

Noeli Fusco January 16, 2023

@blastoise186  oh, thank you very much for ypur answers, i will contact them! :D

Maria Campbell February 1, 2023

Hi,

I am also confused. I use Gmail to log in to my Jira account. I receive notifications when I have opened issues or completed them using Jira software. I do not use Confluence. I also am set up with SSH and use 0Auth already I believe with Github, which is where all my repos reside. Is there anything that I had to do? Please advise. Thanks!

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events