Disabling Basic Auth in Jira Data Center and allowlisting REST APIs
using the Customfield Editor for Jira App REST-API with personal access tokens
With Jira Data Center 8.16 you can disable Basic Authentication. Since many of you might still use Basic Auth for certain sync scripts you can allowlist certain URIs to still use basic auth for them.
Disabling Basic Authentication
First we need to update the SSO for Atlassian Data Center App that is already pre-installed in Jira Data Center.
Now we see the Settings → System → Authentication methods page and can disable Basic Authentication on API calls.
If we now try to access the REST API with Basic Authentication it fails with HTTP 403.
HTTP/1.1 403
Content-Type: application/json;charset=UTF-8
{"message":"Basic Authentication has been disabled on this instance."}Option 1: Using Personal Access Tokens
Now we need a personal access token to be able to authenticate against any REST API. Click on Profile → Personal Access Tokens and you should see this page.
Now click on create token, specify a name and copy the token value somewhere safe.
If we use the personal access token now against the REST API, it works like a charm .
HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
{
"maxResults": 10,
"startAt": 0,
"total": 1,
"processingTimeInMs": 1,
"values": [
{
"fieldId": 10300,
"fieldName": "customers",
"fieldDescription": null,
"fieldType": "multicheckboxes",
"contextPermissions": [
{
"context": {
"contextId": 10400,
"contextName": "Default Configuration Scheme for customers",
"contextDescription": "Default configuration scheme generated by Jira",
"projects": [],
"issueTypes": []
},
"userlist": [],
"grouplist": []
}
],
"globalPermission": {
"userlist": [],
"grouplist": []
}
}
]
}Option 2: Allowlisting Basic Authentication for certain REST APIs
If you want to disable Basic Authentication globally but allow it for certain URLs that for example some external sync scripts are using, you can allow those URIs via the Allowlist.
In our case, if you want Basic Authentication to work for all Customfield Editor for Jira App REST API endpoints, you should allow those URIs with the following API call.
Note that with every PUT request you might overwrite existing values. At best read the documentation carefully before any API call.
We can now check the allowlist and should see our values have been stored correctly.
HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
...
{
"block-requests": true,
"allowed-paths": [ "/rest/jiracustomfieldeditorplugin/*" ],
"allowed-users": [ "admin" ],
"show-warning-message": true
}Now we can make Basic authenticated calls to the Customfield Editor for Jira REST API while Basic Authentication is globally disabled.
HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
{
"maxResults": 10,
"startAt": 0,
...Summary
When it comes to Basic Authentication you have multiple options. Ultimately you should migrate all your external scripts to use personal access tokens. You can disable Basic Authentication globally while still allowing it for certain URIs or certain users only. This way your migration to personal access tokens can be faster even if some old external scripts still need to use basic auth. Atlassian did a great job to make this transition from basic auth to a more secure authentication method as easy as possible .