Atlassian OAuth2 Client Secret

ID

atlassian_oauth2_key

Severity

high

Vendor

Atlassian

Family

Access key

Description

External APIs can get an OAuth 2 token for Atlassian software tools like Jira, Bitbucket or Confluence, to operate on the tool on behalf of a user. For that, the API typically authenticates with Atlassian authentication server using its client id and client secret (which should not be made public). The authentication server will provide an OAuth2 token that enables the API to perform scoped actions on behalf of the user that allowed the access.

For further information, see Atlassian OAuth2 documentation.

Security

Any hardcoded OAuth client secret, when leaked, may allow an unintended actor to perform the same operations as the legit client application, creating a phishing authentication page, indistinguishable from the original, to create valid OAuth2 tokens.

Examples

JIRA_CLIENT_ID=ptdCGemcvkWdznhhagxN28wxExn7GhKJ
JIRA_CLIENT_SECRET=RK5MTWci5jRMpvgMMUv8tu8jSk3rL9BLCafQzWxRwdBMtQSNEreqeArAknUnFYgU

curl --request POST \
  --url 'https://auth.atlassian.com/oauth/token' \
  --header 'Content-Type: application/json' \
  --data '{ "client_id": "'"$JIRA_CLIENT_ID"'", "client_secret": "'"$JIRA_CLIENT_SECRET"'" }'

Mitigation / Fix

  1. Remove the OAuth2 client secret from the source code.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). The client secret can be regenerated from the Atlassian app dashboard.

Reference

https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/