[Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes

Jeff Fearn jfearn at redhat.com
Tue Feb 1 02:28:13 UTC 2022

Tl;dr From Monday 28th February, applications making API calls to 
Bugzilla may no longer authenticate using passwords or supplying API 
keys in call parameters. Instead, API keys must be supplied in the 
Authorization header.

Support for using the Authorization header has been deployed to all Red 
Hat Bugzilla instances. You can change your code at any time and not 
have to wait for the old methods to be disabled.

We will require all authenticated API usage to use this new method; this 
will break API access to Red Hat Bugzilla for any tools that don't use 
the Authorization header [1].

If you are not certain your tooling authenticates using this header then 
you need to take action to confirm it does and to modify your tooling to 
use it if it doesn't.

This new method does away with logging in and out of the API and uses 
API_KEYs in a standard Authorization header. This header needs to be 
sent with every call to the API.

The old methods will be disabled on a rolling basis across the RHBZ servers.

Target Dates:

https://bugzilla.stage.redhat.com - Mon 07th Feb 00:00 UTC
https://bugzilla.redhat.com - Mon 28th Feb 00:00 UTC


If you attempt to use an old method to authenticate to the API after 
this change has been made, the API_KEY or password supplied will be 
treated as potentially compromised and invalidated immediately. If you 
supplied your password then you will need to follow the forgot password 
process to reset it. If you supplied an API_KEY it will have been banned 
and you will need to generate a new API_KEY in the UI.

This invalidation will happen every time an attempt to use an outdated 
authentication method is detected.

If you are using python-bugzilla you need to upgrade to version 3.2.0 
which will automatically use the new method of authentication.

If you are using other tools you will need to look into how they work 
and see how to adjust them to use the Authorization header instead of 
the other parameters.

If you need assistance understanding how to update your applications, 
please reach out to us by the following means.

- If you have an active subscription via https://access.redhat.com/support/

- If you are a Red Hat Partner then please contact your partner 

- Or email us at bugzilla-owner at redhat.com

The Red Hat Bugzilla Team.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/bugzilla-announce-list/attachments/20220201/5b586023/attachment.sig>

More information about the Bugzilla-announce-list mailing list