Some Connect Apps' shared secrets are out of sync causing the apps to not load
Incident
Report for Atlassian Developer
Resolved
Between 29-Sep-2022 00:43UTC to 06-Oct-2022 01:41UTC, we experienced a problem rolling back secrets for failed Connect app upgrades in Jira and Confluence. This resulted in the secrets becoming out of sync between the Connect records and the app's records. The issue has been resolved and the service is operating normally.
Update
We have not received any new reports of impact since posting last update.
We are going to monitor this incident until 2022.10.11 04:00 UTC to verify that there is no further impact.
Next update will be posted before 2022.10.11 05:00 UTC
We are going to monitor this incident until 2022.10.11 04:00 UTC to verify that there is no further impact.
Next update will be posted before 2022.10.11 05:00 UTC
Update
Following the secrets re-sync we haven't received any new reports of malfunctioning Connect apps. We have reached out directly to app authors that may still be impacted by the issue.
We will monitor closely and post next update within 48 hours.
We will monitor closely and post next update within 48 hours.
Monitoring
Over the last 24 hours shared secrets were re-synced for the tenants with identified affected apps. This fixes the problem for the apps.
We have identified 17 apps across Jira and Confluence that failed re-sync and we will be contacting them within next hour directly.
We'll be monitoring closely and post next update within 12 hours.
We have identified 17 apps across Jira and Confluence that failed re-sync and we will be contacting them within next hour directly.
We'll be monitoring closely and post next update within 12 hours.
Update
Over the next 24 hours, shared secrets will be re-synced for the tenants with the identified affected apps. We expect this to resolve this issue for those apps.
Re-syncing shared secrets uses signed install callbacks. All apps should have already been migrated to support this at this time, as notified in:
https://community.developer.atlassian.com/t/action-required-atlassian-connect-installation-lifecycle-security-improvements/49046
Apps that have not been updated to support signed installs should do so now.
The next update will be in 24 hours based on the outcome of this re-sync process.
Re-syncing shared secrets uses signed install callbacks. All apps should have already been migrated to support this at this time, as notified in:
https://community.developer.atlassian.com/t/action-required-atlassian-connect-installation-lifecycle-security-improvements/49046
Apps that have not been updated to support signed installs should do so now.
The next update will be in 24 hours based on the outcome of this re-sync process.
Identified
Connect Apps installation attempts that have been rolled back since September 29th at 10:13 UTC due to a failure in an installation upgrade would now have a shared secret that is out of sync with Atlassian. This would impact the app's ability to authenticate with Atlassian, call product APIs, and render iFrames causing the app to not load.
Impacted apps will have an error log similar to 'Unsupported JWS algorithm RS256, must be HS256, HS384 or HS512'.
We have mitigated this from affecting any future rollbacks and have begun the process of re-syncing shared secrets with apps.
We will post another update here in 2 hours.
Impacted apps will have an error log similar to 'Unsupported JWS algorithm RS256, must be HS256, HS384 or HS512'.
We have mitigated this from affecting any future rollbacks and have begun the process of re-syncing shared secrets with apps.
We will post another update here in 2 hours.
This incident affected: Developer (App Deployment).