Sep 4 2020
May 13 2020
Apr 25 2020
At time of writing, calls to rest/api/3/myself now return this:
At time of writing, calls to rest/auth/1/session return a result like this:
Apr 24 2020
See private correspondence ("Re: Contributing / Jira Oauth Patch"), which suggests the call to rest/auth/1/session should be (and may urgently need to be) replaced with a call to rest/api/2/myself. See also https://developer.atlassian.com/cloud/jira/platform/deprecation-notice-basic-auth-and-cookie-based-auth/#which-apis-and-methods-will-be-restricted-.
Feb 24 2020
Couple of notes on the state of affairs here:
As of early 2020, this change works:
JIRA did this (changed how accounts are identified) again recently (key is now accountId), see T13493.
Feb 23 2020
I landed everything so far to master. The new behavior in master should be:
I stumbled across what appears to be a very mild security issue in JIRA that impacts this flow. I've reported it to Atlassian's bug bounty program here (this link may or may not be visible to anyone else):
Feb 22 2020
This change sequence is almost ready to remove readers and writers to accountID, but there's still a unique <accountType, accountDomain, accountID> key on the table. Removing accountID writers completely will mean that the second user to link an account of a particular type (say, an Asana account) will run into a unique key error (since they'll write a second "Asana" account with the same empty accountID as the first "Asana" account).
Feb 21 2020
Feb 20 2020
These callers use accountId:
I think the patch above is a piece of the solution here, but makes behavior worse for some installs: installs with a version of JIRA which returns both key and accountId will have worse behavior under the patch than without it (since it will break all the existing account links immediately). It also doesn't smoothly migrate these installs, even though it's theoretically easy/desirable to do that.
Feb 19 2020
When a user logs in to "new" JIRA, we also can't easily tell if they have an existing account link based on the presence of an accountId.
Feb 4 2020
The actual replacement is Authorization: token <token>, I believe:
Jan 30 2020
I think D20905 is as good as we're going to get.
Jan 15 2020
These changes seem to have stuck.
Nov 13 2019
On Ubuntu 14, the messages are a little less helpful: