401 Error "Unauthorized; scope does not match error" on Forge staging environment

Hello Developer Community,

I’m encountering a persistent issue with a 401 error, displaying the message “Unauthorized; scope does not match” when attempting to call the “/rest/servicedeskapi/servicedesk/${projectKey}/requesttype” endpoint after adding a new Jira Service Management (JSM) scope.
The puzzling aspect is that the endpoint functions correctly in our development environment. However, upon deploying identical code to our staging environment, the error persists.

I’ve undertaken several troubleshooting steps, but unfortunately, none have resolved the issue:

  • Executed “forge install --upgrade -e staging --site https://xxxxx
  • Uninstalled and reinstalled the application
  • Created a new site and installed the application

Here’s the code snippet in question:

        const types = await requestJira(`/rest/servicedeskapi/servicedesk/${projectKey}/requesttype?start=0`).then((r) => {
          if (!r.ok) {
            throw r;
          }
          return r.json();
        });

Manifest excerpt:

  scopes:
    - read:jira-work
    - write:jira-work
    - manage:jira-project
    - manage:jira-configuration
    - read:jira-user
    - read:servicedesk-request
    - storage:app

Failed call in the staging environment:


image

Successful call in the development environment:

Could someone please provide guidance on resolving this issue? Any assistance would be greatly appreciated!

Thank you.

1 Like

@takafumiohtake from what I understand, the requirement described in Path construction (route)was introduced some time ago. Your use of requestJira without a route-tagged template suggests that you are on an old version of the Forge runtime. Your entire request path may be getting URL-encoded, producing a request URL such as %2Frest%2Fapi%2F...

Support for lenient URL path processing for OAuth 2.0 requests was recently removed. Please see the removal notice and the deprecation notice for more details.

2 Likes

Hello @epehrson

Thank you very much for your response. :smile:

I appreciate your input, but I have some doubts regarding the change you mentioned. Here’s why:

  • The request is initiated from a custom UI using “import { requestJira } from ‘@forge/bridge’”. Therefore, I believe that no route wrap is necessary.
  • The identical code functions correctly when the Forge app is deployed in the development environment, even when using the same site.

Could you please provide guidance on how I can further address this issue? Thank you for your assistance.

@takafumiohtake it’s also possible that you ran into ECO-159.

Hi @epehrson

Thanks for providing the additional information. I’ve gone through the issue you shared.

In my application, we utilize both Jira’s and JSM’s scopes.
Would it be possible to apply the workaround to Forge apps?

@takafumiohtake I didn’t realize you had provided a trace ID via screenshot. For the request 6b4a4d57b8db4bb1936f059fbd40c715, the OAuth 2.0 access token you provided had the following scopes manage:jira-configuration manage:jira-project offline_access read:jira-user read:jira-work write:jira-work. The access token is a JWT token, so you can decode it yourself and check.

1 Like

@epehrson

I appreciate your assistance.

Upon decoding the JWT, I discovered that it lacked the “read:servicedesk-request” scope.
After I added and subsequently removed another scope, the “read:servicedesk-request” scope was successfully reflected in our staging environment. Consequently, the issue has been resolved.

2 Likes