How to differentiate the calls from same Jira user with different PAT tokens in application logs

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Personal access tokens (PATs) are a secure way to use scripts and integrate external applications with your Atlassian application. A user can have more than one PAT token linked, and multiple scripts can use different PAT tokens.

If you want to know which PAT tokens are being used in requests to Jira from the same user, you can not do it with the default logging level for the PAT package.

Environment

  • Jira Core 8.14 and later
  • Jira Software 8.14 and later
  • Jira Service Management 4.15 and later

Solution

Enabling TRACE for the PAT package and matching it with data from the DB is possible to distinguish which PAT token is being used in requests to Jira from the same user.

  1. Go to: Cog Icon -> System -> Logging and Profiling - *Configure* logging level for another package.
    1. Package Name: com.atlassian.pats
    2. Logging level: TRACE
    3. Click add.
  2. Make your tests and check the logs. You will find something similar to the following:
Snippet
2022-10-11 15:04:09,202+0000 http-nio-8080-exec-4 TRACE anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.p.web.filter.TokenBasedAuthenticationFilter] >>> TokenBasedAuthenticationFilter.doFilter
2022-10-11 15:04:09,202+0000 http-nio-8080-exec-4 TRACE anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.pats.service.DefaultTokenAuthenticationService] Got tokenId: [355510638677] from token
2022-10-11 15:04:09,206+0000 http-nio-8080-exec-4 DEBUG anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.pats.db.PersonalTokenConfigEnricher] Registering enum types for Querydsl
2022-10-11 15:04:09,211+0000 http-nio-8080-exec-4 TRACE anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.pats.service.CachingTokenValidator] Verifying user token with hashed token: [{PKCS5S2}iOmgEVwCpHPgaWWxcrfauKEZtLy5Qy/o3gBQTqxuFVqjtG2XD4MzLweWSPI/bw0d]
2022-10-11 15:04:09,211+0000 http-nio-8080-exec-4 TRACE anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.pats.service.DefaultTokenAuthenticationService] Authentication successful - returning token: [TokenDTO(id=2, userKey=admin, hashedToken={PKCS5S2}iOmgEVwCpHPgaWWxcrfauKEZtLy5Qy/o3gBQTqxuFVqjtG2XD4MzLweWSPI/bw0d, tokenId=355510638677, name=test, createdAt=2022-10-11 14:51:57.933, lastAccessedAt=2022-10-11 14:56:45.734685, expiringAt=2023-01-09 14:51:57.933, notificationState=NOT_SENT)]
2022-10-11 15:04:09,211+0000 http-nio-8080-exec-4 DEBUG anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.pats.checker.JiraProductUserProvider] Looking for Jira user with key: [admin]
2022-10-11 15:04:09,211+0000 http-nio-8080-exec-4 TRACE anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.p.web.filter.TokenBasedAuthenticationFilter] Auth SUCCESS for user: [admin] and tokenId: [355510638677] and expiry:[2023-01-09 14:51:57.933]
2022-10-11 15:04:09,233+0000 http-nio-8080-exec-4 TRACE anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.p.web.filter.LastAccessedTimeBatcher$TokenBatch] Storing auth time: [2022-10-11T15:04:09.233632Z] for tokenId: [2]
2022-10-11 15:04:09,235+0000 http-nio-8080-exec-4 TRACE admin 904x1468x1 hkdcdx 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.p.web.filter.TokenBasedAuthenticationFilter] Invalidating session authenticated using personal access token with an ID [D290B8011EF91064B5130DBA90E86102]
2022-10-11 15:04:09,236+0000 http-nio-8080-exec-4 TRACE admin 904x1468x1 hkdcdx 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.p.web.filter.TokenBasedAuthenticationFilter] <<< TokenBasedAuthenticationFilter.doFilter

In line 5, you see userKey=admin and tokenId=355510638677. All the details of that PAT token are available on the same line.

You can also get the details for that PAT token by searching by the token ID from the "AO_81F455_PERSONAL_TOKEN" table in the DB:

SELECT "HASHED_TOKEN", "NAME", "TOKEN_ID", "USER_KEY" FROM "AO_81F455_PERSONAL_TOKEN" WHERE "TOKEN_ID" = 355510638677

|HASHED_TOKEN                                                             |NAME|TOKEN_ID    |USER_KEY|
|-------------------------------------------------------------------------|----|------------|--------|
|{PKCS5S2}iOmgEVwCpHPgaWWxcrfauKEZtLy5Qy/o3gBQTqxuFVqjtG2XD4MzLweWSPI/bw0d|test|355510638677|admin   |

Although not ideal, this configuration change will allow you to track which PAT token is used by which user and application.

There is little performance impact by changing the logging level of the PAT token. However, there is an increased volume of recorded data, which can be high depending on how many requests are made to the server using PAT tokens.

Because of that, you can try different logging configurations to reduce logging verbosity.

For example, instead of setting TRACE to "com.atlassian.pats", try DEBUG and see what information you get. If that is not good enough, try TRACE but for "com.atlassian.pats.service", and so forth.

If it works for you, enable that logging level permanently, following the steps described here: https://confluence.atlassian.com/jirakb/change-logging-levels-in-jira-server-629178605.html.

If too much new data is being generated, you might need to change your logging rotation configuration to expand the number of files and/or the size of the log files.

Ref.: https://confluence.atlassian.com/jirakb/change-the-rotation-file-size-for-jira-server-logs-956698924.html

Last modified on Nov 1, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.