Disabling basic authentication

In Jira and Bitbucket, you can use a username and password to authenticate through the login portal or use basic authentication in API calls. Since using a username and password is less secure than using Single Sign-On, we strongly advise you to disable both ways of authentication with username and password completely once you add an alternative single sign-on authentication method to your environment. 

Some features in Atlassian products rely on using username and password for authentication in API calls. If you wish specific usernames or URLs to be able to use basic authentication in REST API calls you can create an allowlist for that. Learn how to create an allowlist when basic authentication is disabled.

Before you begin

Blocking basic authentication is a native feature in:

    • Jira 8.16 or later

    • Bitbucket 7.12 or later

    • Bamboo 8.1 or later
    • Confluence 7.16 or later

If you use earlier versions of these products, you can still get this feature by installing the SSO for Atlassian Data Center app from Atlassian Marketplace. Make sure your product and version is listed as supported

Disabling basic authentication will make scripts that use authentication with username and password stop working. Make sure that your users are aware of basic authentication method being disabled ahead of time.

Disable basic authentication

To completely disable basic authentication, you need to hide the default login form and also disable basic authentication on API calls.

To disable the default login method:

  1. Go to administration options for your product:

    • In Jira, select Administration  > System > Authentication methods (in earlier versions named SSO 2.0).

    • In Bitbucket, select Administration > Accounts > Authentication methods (in earlier versions named SSO 2.0).
  2. Next to the default authentication method, select Actions > Edit.
  3. Clear the Show default login form checkbox.
  4. Select Save configuration.

To disable basic authentication in API calls:

  1. Go to the Authentication methods page, mentioned above.
  2. Toggle off the Allow basic authentication on API calls option.

Results

Basic authentication is disabled in your environment. 

How to test if my basic authentication is disabled?

When basic authentication is disabled all requests using a username and password to authenticate should get one of these responses:

  • JSON

    {
        "message": "Basic Authentication has been disabled on this instance."
    }
  • XML

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <warning>
        <message>Basic Authentication has been disabled on this instance.</message>
    </warning>
  • Text/plain

    Basic Authentication has been disabled on this instance.

    The response status code should be 403.


Last modified on Feb 15, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.