Programmatical share access token
Description
Background:
Client is currently evaluating the use of External Share for Confluence to create an online user guide.
To ensure a seamless experience for their customers, we need the ability to programmatically auto-login to Password Protected external share links. This will eliminate the need to manually enter the password and restrict access to the Confluence page exclusively through our system via iFrame.
Secure Solution
When a share link is password-protected, append a special parameter to the URL, as follows:
https://confluence.external-share.com/content/{UUID}?unlock={jwt}The
unlockparameter is a JSON Web Token defined as follow:JWT header:
alg: HS256
JWT payload:
nbf: Time on which the JWT will start to be accepted for processing. Integer representing seconds past 1970-01-01 00:00:00Z
exp: Expiration time on and after which the JWT must not be accepted for processing. Integer representing seconds past 1970-01-01 00:00:00Z.
iss: UUID of the share
JWT signature:
secret: random 256 bits stored in the db as
shared_page.unlock_secretcolumn of typebytea
The
unlock_secretvalue:may be stored plain in db for the time being as share’s UUID and password are unencrypted too
will be autogenerated using secure pseudo random generator
guarana.security.RandomUtil.generateBytes(32)will be automatically created on share creation
after column creation, existing shares will receive secrets in a migration routine
is shown in UI below password field as a read only text input with hexadecimal representation and
Copybuttoncan be changed in the UI via
Changebuttonis returned in Web API as a hexadecimal string
JWT checks on unlocking:
alg == HS256
nbf <= now < exp
exp - nbf <= 60
scope == share’s UUID
JWT signature
on successful JWT validation:
store the same cookie as the page would have been accessed using password
For testing:
Website for generating JWT:
https://dinochiesa.github.io/jwt/
What to fill:
After filling data you have to click left arrow to generate JWT.
Child issues
ESFC-448
Programmatical share access token - documentation
Linked issues
ESFJ-608
Programmatical share access token
ESFC-441
Delete null checks and add database NOT NULL constrain after unlockSecret DB migration
ESFC-455
External share for Confluence link protected with password does not function in iframe on Confluence Page and shared page
ESFC-460
Add custom domain support for programmatical share access token
ESFC-462
Add link to docs for share access token in share form
SUP-278
External Share for Confluence > Iframe access token
SUP-362
How do I use the Share Access Token to access password protected shares from an iframe?
Activity
Details
Priority
Medium
@Krzysztof Bogdan please look at Zulip’s QA channel, there is a problem with password protected pages in iframe, it also makes this feature not work in iframe
@Michał Błaszczykowski Based on linked client request. They do expect this solution to work in iframe. Does it work in iframe?
Hello @Michał Błaszczykowski,
Please merge code to dev branch.
This is the best moment to add more information that can be helpful to prepare release notes.
Can you prepare short overview of change that can be used in release notes?
Please provide short GIF that showcase feature.
If GIF make no sense, can you provide image that highlights feature that can be used in release notes (cropped & annotated)?
@Michał Błaszczykowski No, the link was fine. The link I copied is the redirection from the content link. Issue was with custom domain 🙂
Improvement implemented - QA environment.
@Parsa Shiva its wrong link, should be
https://confluence.external-share.com/content/{UUID}?unlock={jwt}you appended unlock parameter to access page, which can't work
@Michał Błaszczykowski Following issue occurs - QA environment.
URL:
https://ces-qa.warsawdynamics.com/access?uuid=2a343b05-bc72-4408-9263-0cd99b1a9818?unlock=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIyYTM0M2IwNS1iYzcyLTQ0MDgtOTI2My0wY2Q5OWIxYTk4MTgiLCJuYmYiOjE2OTgwODk5MzcsImV4cCI6MTY5ODA5MDAyN30.hNH-8djKyBXtM7YKFZccZVI8pOzvXwSs6xVBnkQ0ap8
Error:
{"type":"about:blank","title":"Bad Request","status":400,"detail":"Required parameter 'redirect' is not present.","instance":"/access"}Hello @Krzysztof Surdacki,
Task is ready for review.
@Michał Błaszczykowski please make sure reviewer
have easy access to contend to be reviewed.
If this is code change. Please make sure PR is created.
If this is new documentation, blogpost, etc. Please provide link to page.
Hello @Michał Błaszczykowski ]
This is the best moment to add more information that can be helpful for tester.
What areas are affected?
What are potential edge cases?
Was it checked for XSS problems?
Does change affect security, is new data exposed?
Please attach - Before / After screenshot if possible.
Hello @Michał Błaszczykowski,
Change was reviewed and approved.
Task is ready to be deployed to QA.
Once it is deployed to QA please move ticket to "To Test"
Thank you!
Hello @Krzysztof Bogdan,
Task is ready for review.
@Michał Błaszczykowski please make sure reviewer
have easy access to contend to be reviewed.
If this is code change. Please make sure PR is created.
If this is new documentation, blogpost, etc. Please provide link to page.
Hello @Krzysztof Bogdan
This is the best moment to add more description, wire-frames, comments.
Why we doing this?
What is expected result?