How to differentiate the calls from same Jira user with different PAT tokens in application logs
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Personal access tokens (PATs) are a secure way to use scripts and integrate external applications with your Atlassian application. A user can have more than one PAT token linked, and multiple scripts can use different PAT tokens.
If you want to know which PAT tokens are being used in requests to Jira from the same user, you can not do it with the default logging level for the PAT package.
Environment
Jira Core 8.14 and later
Jira Software 8.14 and later
Jira Service Management 4.15 and later
Solution
Enabling TRACE for the PAT package and matching it with data from the DB is possible to distinguish which PAT token is being used in requests to Jira from the same user.
Go to: Cog Icon -> System -> Logging and Profiling - *Configure* logging level for another package.
Package Name: com.atlassian.pats
Logging level: TRACE
Click add.
Make your tests and check the logs. You will find something similar to the following:
Snippet
1
2
3
4
5
6
7
8
9
10
2022-10-11 15:04:09,202+0000 http-nio-8080-exec-4 TRACE anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.p.web.filter.TokenBasedAuthenticationFilter] >>> TokenBasedAuthenticationFilter.doFilter
2022-10-11 15:04:09,202+0000 http-nio-8080-exec-4 TRACE anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.pats.service.DefaultTokenAuthenticationService] Got tokenId: [355510638677] from token
2022-10-11 15:04:09,206+0000 http-nio-8080-exec-4 DEBUG anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.pats.db.PersonalTokenConfigEnricher] Registering enum types for Querydsl
2022-10-11 15:04:09,211+0000 http-nio-8080-exec-4 TRACE anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.pats.service.CachingTokenValidator] Verifying user token with hashed token: [{PKCS5S2}iOmgEVwCpHPgaWWxcrfauKEZtLy5Qy/o3gBQTqxuFVqjtG2XD4MzLweWSPI/bw0d]
2022-10-11 15:04:09,211+0000 http-nio-8080-exec-4 TRACE anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.pats.service.DefaultTokenAuthenticationService] Authentication successful - returning token: [TokenDTO(id=2, userKey=admin, hashedToken={PKCS5S2}iOmgEVwCpHPgaWWxcrfauKEZtLy5Qy/o3gBQTqxuFVqjtG2XD4MzLweWSPI/bw0d, tokenId=355510638677, name=test, createdAt=2022-10-11 14:51:57.933, lastAccessedAt=2022-10-11 14:56:45.734685, expiringAt=2023-01-09 14:51:57.933, notificationState=NOT_SENT)]
2022-10-11 15:04:09,211+0000 http-nio-8080-exec-4 DEBUG anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.pats.checker.JiraProductUserProvider] Looking for Jira user with key: [admin]
2022-10-11 15:04:09,211+0000 http-nio-8080-exec-4 TRACE anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.p.web.filter.TokenBasedAuthenticationFilter] Auth SUCCESS for user: [admin] and tokenId: [355510638677] and expiry:[2023-01-09 14:51:57.933]
2022-10-11 15:04:09,233+0000 http-nio-8080-exec-4 TRACE anonymous 904x1468x1 - 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.p.web.filter.LastAccessedTimeBatcher$TokenBatch] Storing auth time: [2022-10-11T15:04:09.233632Z] for tokenId: [2]
2022-10-11 15:04:09,235+0000 http-nio-8080-exec-4 TRACE admin 904x1468x1 hkdcdx 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.p.web.filter.TokenBasedAuthenticationFilter] Invalidating session authenticated using personal access token with an ID [D290B8011EF91064B5130DBA90E86102]
2022-10-11 15:04:09,236+0000 http-nio-8080-exec-4 TRACE admin 904x1468x1 hkdcdx 192.168.0.1 /rest/bamboo/latest/deploy/SCRUM1/SCRUM1-19 [c.a.p.web.filter.TokenBasedAuthenticationFilter] <<< TokenBasedAuthenticationFilter.doFilterIn line 5, you see userKey=admin and tokenId=355510638677. All the details of that PAT token are available on the same line.
You can also get the details for that PAT token by searching by the token ID from the "AO_81F455_PERSONAL_TOKEN" table in the DB:
1
2
3
4
5
SELECT "HASHED_TOKEN", "NAME", "TOKEN_ID", "USER_KEY" FROM "AO_81F455_PERSONAL_TOKEN" WHERE "TOKEN_ID" = 355510638677
|HASHED_TOKEN |NAME|TOKEN_ID |USER_KEY|
|-------------------------------------------------------------------------|----|------------|--------|
|{PKCS5S2}iOmgEVwCpHPgaWWxcrfauKEZtLy5Qy/o3gBQTqxuFVqjtG2XD4MzLweWSPI/bw0d|test|355510638677|admin |Although not ideal, this configuration change will allow you to track which PAT token is used by which user and application.
There is little performance impact by changing the logging level of the PAT token. However, there is an increased volume of recorded data, which can be high depending on how many requests are made to the server using PAT tokens.
Because of that, you can try different logging configurations to reduce logging verbosity.
For example, instead of setting TRACE to "com.atlassian.pats", try DEBUG and see what information you get. If that is not good enough, try TRACE but for "com.atlassian.pats.service", and so forth.
If it works for you, enable that logging level permanently, following the steps described here:https://confluence.atlassian.com/jirakb/change-logging-levels-in-jira-server-629178605.html.
If too much new data is being generated, you might need to change your logging rotation configuration to expand the number of files and/or the size of the log files.
Was this helpful?