Fixed a bug preventing a successful Bearer Authentication with other authenticators even if they were still allowed.
Version history
2.4.1Confluence Data Center 7.1.1 - 8.5.12023-09-12Bugfix Release Version 2.4.1 • Released 2023-09-12 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial2.4.1Confluence Server 7.1.1 - 8.5.12023-09-12Bugfix Release Version 2.4.1 • Released 2023-09-12 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialFixed a bug preventing a successful Bearer Authentication with other authenticators even if they were still allowed.
2.4.0Confluence Data Center 7.1.1 - 8.5.12023-09-07New Feature & Improvements Version 2.4.0 • Released 2023-09-07 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialPlease refer to the release notes for more details.
2.4.0Confluence Server 7.1.1 - 8.5.12023-09-07New Feature & Improvements Version 2.4.0 • Released 2023-09-07 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialPlease refer to the release notes for more details.
2.3.1Confluence Data Center 7.1.1 - 8.4.22023-08-143rd-Party Library Updates Version 2.3.1 • Released 2023-08-14 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialUpdated OkHttp and Okio libraries
2.3.1Confluence Server 7.1.1 - 8.4.22023-08-143rd-Party Library Updates Version 2.3.1 • Released 2023-08-14 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialUpdated OkHttp and Okio libraries
2.3.0Confluence Data Center 7.1.1 - 8.4.22023-07-17New Feature Version 2.3.0 • Released 2023-07-17 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialAdded configuration option to limit the number of maximum active tokens a user can have at a time. Read more about it in our documentation.
2.3.0Confluence Server 7.1.1 - 8.4.22023-07-17New Feature Version 2.3.0 • Released 2023-07-17 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialAdded configuration option to limit the number of maximum active tokens a user can have at a time. Read more about it in our documentation.
2.2.5Confluence Data Center 7.1.1 - 8.3.22023-06-27Maintenance Release Version 2.2.5 • Released 2023-06-27 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialThis is a maintenance release to improve the app.
2.2.5Confluence Server 7.1.1 - 8.3.22023-06-27Maintenance Release Version 2.2.5 • Released 2023-06-27 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialThis is a maintenance release to improve the app.
2.2.4Confluence Server 7.1.1 - 8.3.22023-02-27Bugfix Release Version 2.2.4 • Released 2023-02-27 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialAdded log file entry in case Bearer Authentication with a token fails. Please be aware that these failures are currently not audit-logged. We'll add this soon in an upcoming release.
2.2.4Confluence Data Center 7.1.1 - 8.3.22023-02-27Bugfix Release Version 2.2.4 • Released 2023-02-27 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialAdded log file entry in case Bearer Authentication with a token fails. Please be aware that these failures are currently not audit-logged. We'll add this soon in an upcoming release.
2.2.3Confluence Server 7.1.1 - 8.0.32023-02-14Bugfix Release Version 2.2.3 • Released 2023-02-14 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialFixed a bug affecting the log file entries for tokens deleted on behalf of another user. The records mentioned the wrong user key. The audit log was not affected by that bug.
2.2.3Confluence Data Center 7.1.1 - 8.0.32023-02-14Bugfix Release Version 2.2.3 • Released 2023-02-14 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialFixed a bug affecting the log file entries for tokens deleted on behalf of another user. The records mentioned the wrong user key. The audit log was not affected by that bug.
2.2.2Confluence Server 7.1.1 - 8.0.42022-12-12Internal Library Updates Version 2.2.2 • Released 2022-12-12 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialUpdated internal libraries to be compatible with Confluence 8
2.2.2Confluence Data Center 7.1.1 - 8.0.42022-12-12Internal Library Updates Version 2.2.2 • Released 2022-12-12 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialUpdated internal libraries to be compatible Confluence 8
2.2.1Confluence Server 7.1.1 - 7.20.32022-11-14New Feature & Improvement Release Version 2.2.1 • Released 2022-11-14 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialNew Feature
- accept authentication with API tokens on selected cluster nodes only, read more about it here
Improvement
- returning the id of a token in the create-token REST response
- the id is required to delete tokens via REST API
2.2.1Confluence Data Center 7.1.1 - 7.20.32022-11-14New Feature & Improvement Release Version 2.2.1 • Released 2022-11-14 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialNew Feature
- accept authentication with API tokens on selected cluster nodes only, read more about it here
Improvement
- returning the id of a token in the create-token REST response
- the id is required to delete tokens via REST API
2.1.0Confluence Server 7.1.1 - 7.20.32022-09-19New Features & UX/ UI Improvements, Minor Bugfixes Version 2.1.0 • Released 2022-09-19 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialNew Features
- individual IP address restrictions for API tokens
- in addition to IP address restrictions that the admin might have defined already, users can assign these on a per token basis
- (HTTP) header/ value access rules for API tokens
- read more about it in our documentation
Changes
- UX/ UI improvements to accommodate new features
Bugfixes
- fixed a bug where users creating a token for themselves got an error that providing an OpenPGP public key is required
- that only happened when admins enabled mandatory OpenPGP encryption for tokens created on behalf
- individual IP address restrictions for API tokens
2.1.0Confluence Data Center 7.1.1 - 7.20.32022-09-19New Features & UX/ UI Improvements, Minor Bugfixes Version 2.1.0 • Released 2022-09-19 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialNew Features
- individual IP address restrictions for API tokens
- in addition to IP address restrictions that the admin might have defined already, users can assign these on a per token basis
- (HTTP) header/ value access rules for API tokens
- read more about it in our documentation
Changes
- UX/ UI improvements to accommodate new features
Bugfixes
- fixed a bug where users creating a token for themselves got an error that providing an OpenPGP public key is required
- that only happened when admins enabled mandatory OpenPGP encryption for tokens created on behalf
- individual IP address restrictions for API tokens
2.0.5Confluence Server 7.1.1 - 7.19.142022-08-313rd party and internal library updates Version 2.0.5 • Released 2022-08-31 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialNo release notes.2.0.5Confluence Data Center 7.1.1 - 7.19.142022-08-313rd party and internal library updates Version 2.0.5 • Released 2022-08-31 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialNo release notes.2.0.3Confluence Server 7.1.1 - 7.19.142022-06-14Security Hardening Version 2.0.3 • Released 2022-06-14 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- further hardening against username enumeration
- in addition to the changes in version 2.0.2, the error message in a 401 response is now identical to the one Atlassian sends: "Basic Authentication Failure - Reason : AUTHENTICATED_FAILED"
- further hardening against username enumeration
2.0.3Confluence Data Center 7.1.1 - 7.19.142022-06-14Security Hardening Version 2.0.3 • Released 2022-06-14 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- further hardening against username enumeration
- in addition to the changes in version 2.0.2, the error message in a 401 response is now identical to the one Atlassian sends: "Basic Authentication Failure - Reason : AUTHENTICATED_FAILED"
- further hardening against username enumeration
2.0.2Confluence Server 7.1.1 - 7.18.32022-06-07Bugfix & Security Hardening Version 2.0.2 • Released 2022-06-07 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- fixed a bug that caused UI not to load if the user logged in has no e-mail address set
- hardened app against username enumeration
- removed mentions of usernames in responses that led to 401 - Unauthenticated
- for troubleshooting purposes, admins can still look up details of authentication failures in the log files
- Updated internal and 3rd party libraries
2.0.2Confluence Data Center 7.1.1 - 7.18.32022-06-07Bugfix & Security Hardening Version 2.0.2 • Released 2022-06-07 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- fixed a bug that caused UI not to load if the user logged in has no e-mail address set
- hardened app against username enumeration
- removed mentions of usernames in responses that led to 401 - Unauthenticated
- for troubleshooting purposes, admins can still look up details of authentication failures in the log files
- Updated internal and 3rd party libraries
2.0.1Confluence Server 7.1.1 - 7.18.32022-05-16Library Updates/ UI Text Changes Version 2.0.1 • Released 2022-05-16 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- Updated internal and 3rd party libraries
- Improved text/ wording of a few element descriptions in the UI
2.0.1Confluence Data Center 7.1.1 - 7.18.32022-05-16Library Updates/ UI Text Changes Version 2.0.1 • Released 2022-05-16 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- Updated internal and 3rd party libraries
- Improved text/ wording of a few element descriptions in the UI
2.0.0Confluence Server 7.1.1 - 7.17.52022-04-28New Features & Improvements Version 2.0.0 • Released 2022-04-28 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialNew Features
- Audit logging of configuration changes
- OpenPGP Encryption for tokens created on behalf
- Tags/ Notes for IP address restrictions
Changes
- Users who can't create their own tokens but can use tokens can now see a list of their tokens, i.e. to see expiration dates or other details
- The list of tokens now shows an expiration warning if a token expires within the next 14 days
- Changed texts in the permission settings so that it's more clear what the on-behalf permission implies
2.0.0Confluence Data Center 7.1.1 - 7.17.52022-04-28New Features & Improvements Version 2.0.0 • Released 2022-04-28 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialNew Features
- Audit logging of configuration changes
- OpenPGP Encryption for tokens created on behalf
- Tags/ Notes for IP address restrictions
Changes
- Users who can't create their own tokens but can use tokens can now see a list of their tokens, i.e. to see expiration dates or other details
- The list of tokens now shows an expiration warning if a token expires within the next 14 days
- Changed texts in the permission settings so that it's more clear what the on-behalf permission implies
1.9.5Confluence Server 7.1.1 - 7.17.52022-02-22Internal Library Updates Version 1.9.5 • Released 2022-02-22 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialUpdated an authentication library to its latest version to support all Atlassian platforms, including the latest Jira versions
1.9.5Confluence Data Center 7.1.1 - 7.17.52022-02-22Internal Library Updates Version 1.9.5 • Released 2022-02-22 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialUpdated an authentication library to its latest version to support all Atlassian platforms, including the latest Jira versions
1.9.4Confluence Server 6.10.0 - 7.16.52022-02-08Improvement Release Version 1.9.4 • Released 2022-02-08 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialAdded logging of rate-limited requests. Read more about it here: https://wiki.resolution.de/doc/api-token-authentication/latest/admin-guide/logging#id-.Loggingv1.9.x-RateLimitedRequests
1.9.4Confluence Data Center 6.10.0 - 7.16.52022-02-08Improvement Release Version 1.9.4 • Released 2022-02-08 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialAdded logging of rate-limited requests. Read more about it here: https://wiki.resolution.de/doc/api-token-authentication/latest/admin-guide/logging#id-.Loggingv1.9.x-RateLimitedRequests
1.9.3Confluence Server 6.10.0 - 7.16.52022-02-03Minor Changes (Audit log texts/ UI Elements only) Version 1.9.3 • Released 2022-02-03 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- changed a few wordings in description texts of the audit logging page
- changed text for the audit/ log entry "user tried to authenticate with an invalid token or regular password" to "user is authenticating with an invalid token, or with a regular password"
- added a warning so that admins are aware of the fact that tokens that have been created before rate-limiting was enabled won't be rate-limited
1.9.3Confluence Data Center 6.10.0 - 7.16.52022-02-03Minor Changes (Audit log texts/ UI Elements only) Version 1.9.3 • Released 2022-02-03 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- changed a few wordings in description texts of the audit logging page
- changed text for the audit/ log entry "user tried to authenticate with an invalid token or regular password" to "user is authenticating with an invalid token, or with a regular password"
- added a warning so that admins are aware of the fact that tokens that have been created before rate-limiting was enabled won't be rate-limited
1.9.2Confluence Server 6.10.0 - 7.16.52022-01-27Bugfix For New Rate Limiting Feature Version 1.9.2 • Released 2022-01-27 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialSince version 1.9.x the app offers functionality to apply rate limits to requests authenticated with API Tokens. Read more about rate-limiting here: https://wiki.resolution.de/go/ata/rate-limit-admin
This bugfix adds a missing database field annotation so that updating the app on instances with MS SQL databases works flawlessly.
If you already updated to 1.9.0/1 and use MS SQL, please contact us at https://www.resolution.de/go/support.
1.9.2Confluence Data Center 6.10.0 - 7.16.52022-01-27Bugfix For New Rate Limiting Feature Version 1.9.2 • Released 2022-01-27 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialSince version 1.9.x the app offers functionality to apply rate limits to requests authenticated with API Tokens. Read more about rate-limiting here: https://wiki.resolution.de/go/ata/rate-limit-admin
This bugfix adds a missing database field annotation so that updating the app on instances with MS SQL databases works flawlessly.
If you already updated to 1.9.0/1 and use MS SQL, please contact us at https://www.resolution.de/go/support.
1.8.4Confluence Server 6.3.1 - 7.15.32022-01-10Improvement & Bugfix Release Version 1.8.4 • Released 2022-01-10 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- extended audit logging so that failed authentication due to IP address restrictions is logged as well
- until this version, this only happened when the app was configured to prevent Basic Authentication with regular passwords
- fixed a bug that caused a 401 response on certain REST endpoints when re-using an existing session that wasn't created with an API token
- extended audit logging so that failed authentication due to IP address restrictions is logged as well
1.8.4Confluence Data Center 6.3.1 - 7.15.32022-01-10Improvement & Bugfix Release Version 1.8.4 • Released 2022-01-10 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- extended audit logging so that failed authentication due to IP address restrictions is logged as well
- until this version, this only happened when the app was configured to prevent Basic Authentication with regular passwords
- fixed a bug that caused a 401 response on certain REST endpoints when re-using an existing session that wasn't created with an API token
- extended audit logging so that failed authentication due to IP address restrictions is logged as well
1.8.3Confluence Server 6.3.1 - 7.15.32021-11-29Improvement Release Version 1.8.3 • Released 2021-11-29 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialNow allowing authentication with API tokens on the /download/attachments/ endpoint.
Before this version one had to use a session cookie to download attachments on this non-REST endpoint.
1.8.3Confluence Data Center 6.3.1 - 7.15.32021-11-29Improvement Release Version 1.8.3 • Released 2021-11-29 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialNow allowing authentication with API tokens on the /download/attachments/ endpoint.
Before this version one had to use a session cookie to download attachments on this non-REST endpoint.
1.8.2Confluence Server 6.3.1 - 7.14.42021-10-25Bugfix Release Version 1.8.2 • Released 2021-10-25 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- Fixed a bug in IP address verification that caused client requests to be rejected even though they were in a range permitted
- Hardened and upgraded the internal license checker library to prevent issues when applying a new Atlassian application license
1.8.2Confluence Data Center 6.3.1 - 7.14.42021-10-25Bugfix Release Version 1.8.2 • Released 2021-10-25 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- Fixed a bug in IP address verification that caused client requests to be rejected even though they were in a range permitted
- Hardened and upgraded the internal license checker library to prevent issues when applying a new Atlassian application license
1.8.1Confluence Server 6.3.1 - 7.14.42021-07-27New Feature & Improvements Version 1.8.1 • Released 2021-07-27 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- Added a REST token test endpoint for support- and troubleshooting purposes, read more about it in our documentation
- Adjusted checks for requests to non-REST endpoints and if basic authentication with regular passwords is disabled
- before this change, requests with a Basic Auth header would fail and result in HTTP error 403, even if a valid session was present already
1.8.1Confluence Data Center 6.3.1 - 7.14.42021-07-27New Feature & Improvements Version 1.8.1 • Released 2021-07-27 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- Added a REST token test endpoint for support- and troubleshooting purposes, read more about it in our documentation
- Adjusted checks for requests to non-REST endpoints and if basic authentication with regular passwords is disabled
- before this change, requests with a Basic Auth header would fail and result in HTTP error 403, even if a valid session was present already
1.7.1Confluence Server 6.3.1 - 7.13.202021-06-28REST API Improvement Version 1.7.1 • Released 2021-06-28 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialREST API only: when creating a token on behalf, the user key provided in the payload is validated first. If it doesn't belong to a user, HTTP status 400 and a message are returned.
To get familiar with the app, please refer to our documentation: https://wiki.resolution.de/doc/api-token-authentication/latest
1.7.1Confluence Data Center 6.3.1 - 7.13.202021-06-28REST API Improvement Version 1.7.1 • Released 2021-06-28 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialREST API only: when creating a token on behalf, the user key provided in the payload is validated first. If it doesn't belong to a user, HTTP status 400 and a message are returned.
To get familiar with the app, please refer to our documentation: https://wiki.resolution.de/doc/api-token-authentication/latest
1.7.0Confluence Server 6.3.1 - 7.13.202021-04-19New Feature Version 1.7.0 • Released 2021-04-19 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialAPI tokens can now also be used as bearer tokens, read more about it in our documentation
1.7.0Confluence Data Center 6.3.1 - 7.13.202021-04-19New Feature Version 1.7.0 • Released 2021-04-19 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialAPI tokens can now also be used as bearer tokens, read more about it in our documentation
1.6.3Confluence Server 6.3.1 - 7.13.202021-03-25Security Improvements/ New Feature Version 1.6.3 • Released 2021-03-25 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialSecurity Improvement
- Immediately invalidate active sessions that have been created with API tokens and have expired or were deleted in the meantime (Previously the session remained active until the session timeout was reached)
New Feature
- Added option to disable Session Cookie Based Authentication
1.6.3Confluence Data Center 6.3.1 - 7.13.202021-03-25Security Improvements/ New Feature Version 1.6.3 • Released 2021-03-25 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialSecurity Improvement
- Immediately invalidate active sessions that have been created with API tokens and have expired or were deleted in the meantime (Previously the session remained active until the session timeout was reached)
New Feature
- Added option to disable Session Cookie Based Authentication
1.6.2Confluence Server 6.3.1 - 7.13.202021-02-23Added configuration option regarding the Confluence Remote API (XML-RPC & SOAP) Version 1.6.2 • Released 2021-02-23 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial1.6.2Confluence Data Center 6.3.1 - 7.13.202021-02-23Added configuration option regarding the Confluence Remote API (XML-RPC & SOAP) Version 1.6.2 • Released 2021-02-23 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial1.6.1Confluence Server 6.3.1 - 7.11.22021-02-16Release To Extend Shared Code Base For Bitbucket Compatibility Version 1.6.1 • Released 2021-02-16 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialThis version has been created to offer our API Token solution also for Bitbucket.
In addition, admins of Confluence 7.9 (or greater) can now also disable/ enable the Atlassian Personal Access Token app from within the API Token app's system wide configuration page.
1.6.1Confluence Data Center 6.3.1 - 7.11.22021-02-16Release To Extend Shared Code Base For Bitbucket Compatibility Version 1.6.1 • Released 2021-02-16 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialThis version has been created to offer our API Token solution also for Bitbucket.
In addition, admins of Confluence 7.9 (or greater) can now also disable/ enable the Atlassian Personal Access Token app from within the API Token app's system wide configuration page.
1.5.2Confluence Server 6.3.1 - 7.11.22020-12-10Allowing API token authentication on all app endpoints Version 1.5.2 • Released 2020-12-10 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialYou can now use API Tokens not only on REST- but on any /plugins/servlet/ endpoints.This way, almost every app which is using Basic Authentication should be supported.
1.5.2Confluence Data Center 6.3.1 - 7.11.22020-12-10Allowing API token authentication on all app endpoints Version 1.5.2 • Released 2020-12-10 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialYou can now use API Tokens not only on REST- but on any /plugins/servlet/ endpoints.This way, almost every app which is using Basic Authentication should be supported.
1.5.1Confluence Server 6.3.1 - 7.9.32020-11-10CalDAV support for Confluence Team Calendars & Removed misleading description Version 1.5.1 • Released 2020-11-10 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- You can now also use API tokens for authentication with Confluence Team Calendars. Please be aware of that you need to use tokens with Read & Write scope for that to work.
- We've also removed a misleading description on the permission page which suggested that there is a checkbox to grant everyone the "Create Token On Behalf Permission" permission.
1.5.1Confluence Data Center 6.3.1 - 7.9.32020-11-10CalDAV support for Confluence Team Calendars & Removed misleading description Version 1.5.1 • Released 2020-11-10 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- You can now also use API tokens for authentication with Confluence Team Calendars. Please be aware of that you need to use tokens with Read & Write scope for that to work.
- We've also removed a misleading description on the permission page which suggested that there is a checkbox to grant everyone the "Create Token On Behalf Permission" permission.
1.5.0Confluence Server 6.3.1 - 7.9.32020-10-05New features: Token scopes, authentication log, and more Version 1.5.0 • Released 2020-10-05 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialNew Features:
- Token scoping: read/write and read-only scopes can be used to restrict which 3rd party connections and scripts can make changes to the Jira & Confluence database and which can only read data. Scopes are per token but Read-Write tokens can only be assigned by users with a specific permission or not restricted at all.
- Audit logging of authentication events for complete oversight of successful and unsuccessful 3rd party logins
REST only:
- Custom expiration dates for scripts and connections with a limited lifetime
- User key lookups by email in addition to the standard username argument
Improvements:
- New toggle box to prevent path traversal vulnerabilities in REST URLs, and other under-the-hood changes to make “Disable Basic Authentication with User Password” more secure
1.5.0Confluence Data Center 6.3.1 - 7.9.32020-10-05New features: Token scopes, authentication log, and more Version 1.5.0 • Released 2020-10-05 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialNew Features:
- Token scoping: read/write and read-only scopes can be used to restrict which 3rd party connections and scripts can make changes to the Jira & Confluence database and which can only read data. Scopes are per token but Read-Write tokens can only be assigned by users with a specific permission or not restricted at all.
- Audit logging of authentication events for complete oversight of successful and unsuccessful 3rd party logins
REST only:
- Custom expiration dates for scripts and connections with a limited lifetime
- User key lookups by email in addition to the standard username argument
Improvements:
- New toggle box to prevent path traversal vulnerabilities in REST URLs, and other under-the-hood changes to make “Disable Basic Authentication with User Password” more secure
1.4.2Confluence Server 6.3.1 - 7.8.32020-08-25Bugfix Release Version 1.4.2 • Released 2020-08-25 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialFixed a bug where REST request headers containing a client IP address with a port number caused a null pointer exception. The exception was only thrown with one ore more IP restrictions applied.
1.4.2Confluence Data Center 6.3.1 - 7.8.32020-08-25Bugfix Release Version 1.4.2 • Released 2020-08-25 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialFixed a bug where REST request headers containing a client IP address with a port number caused a null pointer exception. The exception was only thrown with one ore more IP restrictions applied.
1.4.1Confluence Server 6.3.1 - 7.7.42020-07-09Security Hotfix Version 1.4.1 • Released 2020-07-09 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialFixed a security vulnerability, please read here for more details:https://wiki.resolution.de/doc/api-token-authentication/latest/security-advisories/2020-07-09-sql-injection-vulnerability
1.4.1Confluence Data Center 6.3.1 - 7.7.42020-07-09Security Hotfix Version 1.4.1 • Released 2020-07-09 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialFixed a security vulnerability, please read here for more details:https://wiki.resolution.de/doc/api-token-authentication/latest/security-advisories/2020-07-09-sql-injection-vulnerability
1.3.2Confluence Server 6.3.1 - 7.6.32020-07-09Security Hotfix Version 1.3.2 • Released 2020-07-09 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialFixed a security vulnerability, please read here for more details:https://wiki.resolution.de/doc/api-token-authentication/latest/security-advisories/2020-07-09-sql-injection-vulnerability
1.3.2Confluence Data Center 6.3.1 - 7.6.32020-07-09Security Hotfix Version 1.3.2 • Released 2020-07-09 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialFixed a security vulnerability, please read here for more details:https://wiki.resolution.de/doc/api-token-authentication/latest/security-advisories/2020-07-09-sql-injection-vulnerability
1.2.3Confluence Server 6.3.1 - 7.4.182020-04-20Security Bugfix release Version 1.2.3 • Released 2020-04-20 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialIf configuration was not restricting token usage to sys-admins only, a low privileged user could overwrite token descriptions of other user's tokens via the REST API. To do that, a user would have needed to guess the id of a token to be used in the update call (tokens are added to the database with a sequential Id). This refers to overwriting token descriptions only. At no point was the actual token exposed or at Risk.
CVSS: Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
VRT: Broken Access Control (BAC) > Insecure Direct Object References (IDOR)
1.2.3Confluence Data Center 6.3.1 - 7.4.182020-04-20Security Bugfix release Version 1.2.3 • Released 2020-04-20 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialIf configuration was not restricting token usage to sys-admins only, a low privileged user could overwrite token descriptions of other user's tokens via the REST API. To do that, a user would have needed to guess the id of a token to be used in the update call (tokens are added to the database with a sequential Id). This refers to overwriting token descriptions only. At no point was the actual token exposed or at Risk.
CVSS:Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
VRT: Broken Access Control (BAC) > Insecure Direct Object References (IDOR)
1.2.2Confluence Server 6.3.1 - 7.3.52020-03-16Bugfix release Version 1.2.2 • Released 2020-03-16 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialFixed a bug where a user already authorized was not detected as such and caused a 403 error.
Added support for older/ outdated browsers (i.e. Firefox 59), which were preventing the frontend to load properly.
1.2.2Confluence Data Center 6.3.1 - 7.3.52020-03-16Bugfix release Version 1.2.2 • Released 2020-03-16 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialFixed a bug where a user already authorized was not detected as such and caused a 403 error.
Added support for older/ outdated browsers (i.e. Firefox 59), which were preventing the frontend to load properly.
1.2.1Confluence Server 6.3.1 - 7.3.52020-03-09Added more token validity time options Version 1.2.1 • Released 2020-03-09 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialAdded more token validity time options to choose from.So far, only 6, 12 and 24 month could be selected in the UI but now users can additionally select an expiration time ranging from 1 to 5 months.
1.2.1Confluence Data Center 6.3.1 - 7.3.52020-03-09Added more token validity time options Version 1.2.1 • Released 2020-03-09 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialAdded more token validity time options to choose from.So far, only 6, 12 and 24 month could be selected in the UI but now users can additionally select an expiration time ranging from 1 to 5 months.
1.2.0Confluence Server 6.3.1 - 7.3.52020-02-20New feature, Getting started wizard Version 1.2.0 • Released 2020-02-20 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- added a checkbox so that admins can allow regular users to use API tokens created for them by admins or created earlier by regular user, prior limiting token creation to admin users
- added a wizard for easier setup and getting started
- added more in-app links to the documentation and our support center
1.2.0Confluence Data Center 6.3.1 - 7.3.52020-02-20New feature, Getting started wizard Version 1.2.0 • Released 2020-02-20 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • Commercial- added a checkbox so that admins can allow regular users to use API tokens created for them by admins or created earlier by regular user, prior limiting token creation to admin users
- added a wizard for easier setup and getting started
- added more in-app links to the documentation and our support center
1.1.1Confluence Server 6.3.1 - 7.3.52020-02-05New features & Bug Fixes Version 1.1.1 • Released 2020-02-05 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialBugfix:
- fixed the bug causing the failed login counter to be increased when using API tokens
- fixed the bug not returning the correct X-Seraph-LoginReason status value
New Features:
- tokens can now have a validity/ expiration time of up to two years
- sysadmins can disable token creation and usage for regular users
- sysadmins can create tokens for other users
- token creation and deletion will create audit log records in Jira and Confluence
- added a REST endpoint for sysadmins to filter tokens from all users in the system, i.e. to send expiration warnings with a custom automation
1.1.1Confluence Data Center 6.3.1 - 7.3.52020-02-05New features & Bug Fixes Version 1.1.1 • Released 2020-02-05 • Supported By resolution Reichert Network Solutions GmbH • Paid via Atlassian • CommercialBugfix:
- fixed the bug causing the failed login counter to be increased when using API tokens
- fixed the bug not returning the correct X-Seraph-LoginReason status value
New Features:
- tokens can now have a validity/ expiration time of up to two years
- sysadmins can disable token creation and usage for regular users
- sysadmins can create tokens for other users
- token creation and deletion will create audit log records in Jira and Confluence
- added a REST endpoint for sysadmins to filter tokens from all users in the system, i.e. to send expiration warnings with a custom automation