Programmatical share access token

Description

Background:

Client is currently evaluating the use of External Share for Confluence to create an online user guide.

To ensure a seamless experience for their customers, we need the ability to programmatically auto-login to Password Protected external share links. This will eliminate the need to manually enter the password and restrict access to the Confluence page exclusively through our system via iFrame.

Secure Solution

  • When a share link is password-protected, append a special parameter to the URL, as follows:
    https://confluence.external-share.com/content/{UUID}?unlock={jwt}

  • The unlock parameter is a JSON Web Token defined as follow:

    • JWT header:

      • alg: HS256

    • JWT payload:

      • nbf: Time on which the JWT will start to be accepted for processing. Integer representing seconds past 1970-01-01 00:00:00Z

      • exp: Expiration time on and after which the JWT must not be accepted for processing. Integer representing seconds past 1970-01-01 00:00:00Z.

      • iss: UUID of the share

    • JWT signature:

      • secret: random 256 bits stored in the db as shared_page.unlock_secret column of type bytea

  • The unlock_secret value:

    • may be stored plain in db for the time being as share’s UUID and password are unencrypted too

    • will be autogenerated using secure pseudo random generator guarana.security.RandomUtil.generateBytes(32)

    • will be automatically created on share creation

    • after column creation, existing shares will receive secrets in a migration routine

    • is shown in UI below password field as a read only text input with hexadecimal representation and Copy button

    • can be changed in the UI via Change button

    • is returned in Web API as a hexadecimal string

  • JWT checks on unlocking:

    • alg == HS256

    • nbf <= now < exp

    • exp - nbf <= 60

    • scope == share’s UUID

    • JWT signature

  • on successful JWT validation:

    • store the same cookie as the page would have been accessed using password


For testing:


Website for generating JWT:
https://dinochiesa.github.io/jwt/

What to fill:

After filling data you have to click left arrow to generate JWT.

Linked issues

relates to
Issue Type Icon ESFC-408 Programmatical share access token Priority: Medium Assignee:
Released
Issue Type Icon ESFJ-651 Delete null checks and add database NOT NULL constrain after unlockSecret DB migration Priority: Medium Assignee:
Released
Issue Type Icon ESFJ-562 External share for Jira link protected with password does not function in iframe on Confluence Page and shared page Priority: Medium Assignee:
Released
Issue Type Icon ESFJ-695 Add custom domain support for programmatical share access token Priority: Medium Assignee:
Released
Issue Type Icon ESFJ-697 Add link to docs for share access token in share form Priority: Medium Assignee:
Released
Issue Type Icon SUP-395 Embedde confluence articles via external share + iframe Compnay Intranet Priority: Medium Assignee:
Closed