Programmatical share access token
Description
Background:
Client is currently evaluating the use of External Share for Confluence to create an online user guide.
To ensure a seamless experience for their customers, we need the ability to programmatically auto-login to Password Protected external share links. This will eliminate the need to manually enter the password and restrict access to the Confluence page exclusively through our system via iFrame.
Secure Solution
- When a share link is password-protected, append a special parameter to the URL, as follows:
{{https://confluence.external-share.com/content/ {UUID}?unlock=
{jwt}}}
- The
unlock
parameter is a JSON Web Token defined as follow:- JWT header:
- alg: HS256
- JWT payload:
- nbf: Time on which the JWT will start to be accepted for processing. Integer representing seconds past 1970-01-01 00:00:00Z
- exp: Expiration time on and after which the JWT must not be accepted for processing. Integer representing seconds past 1970-01-01 00:00:00Z.
- iss: UUID of the share
- JWT signature:
- secret: random 256 bits stored in the db as
shared_page.unlock_secret
column of typebytea
- secret: random 256 bits stored in the db as
- JWT header:
- The
unlock_secret
value:- may be stored plain in db for the time being as share’s UUID and password are unencrypted too
- will be autogenerated using secure pseudo random generator
guarana.security.RandomUtil.generateBytes(32)
- will be automatically created on share creation
- after column creation, existing shares will receive secrets in a migration routine
- is shown in UI below password field as a read only text input with hexadecimal representation and
Copy
button - can be changed in the UI via
Change
button - is returned in Web API as a hexadecimal string
- JWT checks on unlocking:
- alg == HS256
- nbf <= now < exp
- exp - nbf <= 60
- scope == share’s UUID
- JWT signature
- on successful JWT validation:
- store the same cookie as the page would have been accessed using password
For testing:
Website for generating JWT:
https://dinochiesa.github.io/jwt/
What to fill:
After filling data you have to click left arrow to generate JWT.
Linked issues
relates to
ESFC-408
Programmatical share access token
Released
ESFJ-562
External share for Jira link protected with password does not function in iframe on Confluence Page and shared page
Released
ESFJ-651
Delete null checks and add database NOT NULL constrain after unlockSecret DB migration
Released
ESFJ-695
Add custom domain support for programmatical share access token
Released
ESFJ-697
Add link to docs for share access token in share form
Released
SUP-395
Embedde confluence articles via external share + iframe Compnay Intranet
Closed
Activity
Show:
Hello @Michał Błaszczykowski,
Please merge code to dev branch.
This is the best moment to add more information that can be helpful to prepare release notes.
@Michał Błaszczykowski Fix verified and Improvement implemented - QA environment.
@Michał Błaszczykowski Following issue occurs- QA environment.
After adding the key the page loads back into the access URL endpoint: {{https://jes-qa.warsawdynamics.com/access?uuid=e9806b06-29ba-45f4-93d5-f59dc802dffc&redirect=https://jira-test-3.kz-test.ovh/issue/e9806b06-29ba-45f4-93d5-f59dc802dffc }}
Improvement suggestion
In case of expired JWT - an unknown issue occurred message is displayed. This error messaged can be improved and handled.
@Krzysztof Piotr Surdacki please take a final look
[~accountid:
{712020:7f4a5822-7b83-4950-ad69-f30f97b87f71}] Found one major bug and a couple enhancements.
@Krzysztof Piotr Surdacki please take a look at corrected version
@Michał Błaszczykowski Please change commented parts of the change or explain why it is ok the way it is now.
@Krzysztof Piotr Surdacki it’s ready
@Michał Błaszczykowski Please resolve all conflicts with dev before asking for review.
Build also failed:
https://bitbucket.org/%7B8d3fc384-2d68-40d9-a994-c4d0d7086569%7D/%7B1dbc18bb-54b4-4788-8de0-44bdf37fe7ca%7D/pipelines/results/28315
Hello @Krzysztof Bogdan,
Task is ready for review.
@Michał Błaszczykowski please make sure reviewer
have easy access to contend to be reviewed.
If this is code change. Please make sure PR is created.
If this is new documentation, blogpost, etc. Please provide link to page.
@Krzysztof Bogdan please check new implementation
my insights:
my recommendations:
unlock key
the attacker may work as long as he/she likes to brute-force the hash and obtain the password from itunlock secret
generated alongside which would be some random 256 bits key likeovh.atlasinc.guarana.security.RandomUtil#generateSecretKey()
which we could use forunlock key
instead of user provided password.@Krzysztof Bogdan
Hello @Michał Błaszczykowski ]
This is the best moment to add more information that can be helpful for tester.
Please attach - Before / After screenshot if possible.
Hello @Michał Błaszczykowski,
Change was reviewed and approved.
Task is ready to be deployed to QA.
Once it is deployed to QA please move ticket to "To Test"
Thank you!
@Krzysztof Bogdan changes implemented
@Michał Błaszczykowski I have requested changes
Hello @Krzysztof Bogdan,
Task is ready for review.
@Michał Błaszczykowski please make sure reviewer
have easy access to contend to be reviewed.
If this is code change. Please make sure PR is created.
If this is new documentation, blogpost, etc. Please provide link to page.
Hello @Krzysztof Bogdan
This is the best moment to add more description, wire-frames, comments.
Why we doing this?
What is expected result?