Atlassian OAuth2 Keys
Service Name: Atlassian
Service Description: Atlassian provides a suite of collaboration software products including Jira (project management), Confluence (content collaboration), Bitbucket (code repository), and more. OAuth2 keys are used to authenticate and authorize API access to Atlassian products.
Service Address: https://www.atlassian.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the organization level through Atlassian Access security controls.
Secret Access Scope: Grants programmatic access to Atlassian products and their APIs based on the scopes defined during OAuth app creation. Can access user data, manage projects, repositories, and other resources depending on the granted permissions.
Secret Revokement URL: https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/#revoking-access-tokens
Secret Example: ATOAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Suspicious Activity Investigation Instructions:
- Review the OAuth application's access logs in your Atlassian admin portal.
- Check for unusual API calls or access patterns to your Atlassian resources.
- Verify the IP addresses that have been using the OAuth credentials.
- Review any changes made to projects, repositories, or other resources during suspicious timeframes.
- Check for unauthorized OAuth applications connected to your Atlassian account.
Mitigation Instructions:
- Immediately revoke the compromised OAuth token through the Atlassian developer console.
- Create a new OAuth application and generate new client credentials if needed.
- Review and adjust the scopes granted to the application to follow the principle of least privilege.
- Enable IP allowlisting for the OAuth application if available.
- Enable additional security controls like requiring user approval for OAuth applications.
- Consider implementing Atlassian Access for enterprise-grade security controls.
- Update any applications or services that were using the compromised credentials with the new ones.
- Monitor for any continued unauthorized access attempts using the revoked credentials.