Disabling basic authentication

In Jira and Bitbucket you can use username and password to authenticate through the login portal, or use basic authentication in API calls. Since using username and password is less secure than using Single Sign-On, we strongly advise you to disable both ways of authentication with username and password completely once you add an alternative single sign-on authentication method to your environment. 

Some features in Atlassian products rely on using username and password for authentication in API calls. If you wish specific usernames or URLs to be able to use basic authentication in REST API calls you can create an allowlist for that. Learn how to create an allowlist when basic authentication is disabled.

Before you begin

Blocking basic authentication is a native feature in:

    • Jira 8.16 or later

    • Bitbucket 7.12 7.12 or later

If you use earlier versions of these products, you can still get this feature by installing the SSO for Atlassian Server and Data Center app from Atlassian Marketplace. Make sure your product and version is listed as supported

Disabling basic authentication will make scripts that use authentication with username and password stop working. Make sure that your users are aware of basic authentication method being disabled ahead of time.


To disable basic authentication

    1. Go to administration options for your product:

      • In Jira, select Administration  > System > Authentication methods (in earlier versions named SSO 2.0).

      • In Bitbucket, select Administration>Accounts > Authentication methods (in earlier versions named SSO 2.0).
    2. To disable logging in with username and password from the login portal, next to the default authentication method, toggle off the Show on login screen option.
    3. To disable authenticating with username and password in API calls, toggle off Allow basic authentication on API calls.

Results

Basic authentication is disabled in your environment. 

How to test if my basic authentication is disabled?

When basic authentication is disabled all requests using username and password to authenticate should get one of these responses:

  • JSON

    {
        "message": "Basic Authentication has been disabled on this instance."
    }
  • XML

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <warning>
        <message>Basic Authentication has been disabled on this instance.</message>
    </warning>
  • Text/plain

    Basic Authentication has been disabled on this instance.

    Response status code should be 403.


Last modified on Apr 12, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.