I am wondering if it is possible to call Product Fetch APIs with a specific user’s credentials?
This documentation says that we can only use it with .asApp() or .asUser(), but the former uses the default system user, the latter uses the currently logged in user.
None of the two approaches does what I want - I’d like to use a specific user (ideally a technical user specifically created for the app or something like that) that has special access (e.g.: can access JIRA projects that the default system user or the currently logged in user does not).
Is there a way to do this?
I am also open to approaches other than the Product Fetch API.
I pretty much rely on the public roadmap, like everyone else:
Clicking through to the Trello board, we are aware this is possible with Connect but not Forge; hence, “User impersonation for Connect-on-Forge apps” for “Future” (no estimated date but looks like a quarter or more). Hopefully, that gives us the primitive you need.
That said, there’s a lot more to your scenario. I wonder if what you want to do could be accomplished some other way. Specifically, the Forge auth docs explain:
The asApp() function authenticates with the Atlassian products using a system user dedicated to your app. The system user is only a member of the default user group. This means the system user is not able to access private data such as Jira projects or Confluence spaces that are not visible to the default user group.
Have you tried manually managing that app-specific user’s permissions? I would start with just seeing what is possible in the UI before trying to get the App to escalate it’s own permissions, which is unlikely to be possible now. Indeed, I think this is the critical leg of your problem, not so much the user impersonation. Generally, I think our security team would frown on the kind of escalation you are suggesting your App needs.
Thanks for the information! I really appreciate all your responses so far.
Sorry about the newbie questions, I am new to Forge development and still picking up the basics.
Thank you for the link to the Forge platform roadmap, I’ll be sure to follow it in the future.
Have you tried manually managing that app-specific user’s permissions? I would start with just seeing what is possible in the UI…
I am not sure what you mean by this. If by “UI” you mean the developer console, I did look at the Permissions section there, but to my best knowledge 1) you can only view app scopes defined in the manifest file 2) only works once your app is in production, and this app is not yet in production.
I did add the necessary scopes to the manifest file, then deployed and installed the app - but that does not solve the problem.
To provide you more context, the goal of App is the following:
I want to show aggregated, transformed metrics data from ALL Jira projects and/or ALL Confluence spaces to ALL users who use the App. Even if the user of the App does not have access to all Jira projects and Confluence spaces.
In other words, the App needs to access ALL Jira projects and/or ALL Confluence spaces - hence my idea to make it run under a specific account that does have access to all of these resources. Once the data is fetched, the App would aggregate the data and only show specific, transformed data to the Users.
A simple example: any user of the App can view the total number of Jira bugs on the Jira site (the sum also includes the number of Jira issues the App user has no access to).
I have not found a way to do that with scopes in the manifest file.
Any ideas? I appreciate any pointers towards a possible solution.
Thanks for elaborating your app requirements. Against those requirements, I think there are 2 fundamental problems. First, your App cannot know if it has access to ALL projects/spaces. Second, your App cannot directly automate its own escalation to make sure it has access to ALL projects/spaces. Indeed, this is fundamental to the permission models of Jira & Confluence. Even admins have those 2 “problems”. Both products might be “open by default” but they give full control to admins to lock anyone out of projects/spaces, including other admins and apps.
Hence, my suggestions about manipulating permissions in “the UI” was a “next best thing”. The UI to which I was referring was the Jira admin UI. And as next best thing, this approach would require admins intervention. Since I don’t think it will be possible for your App to escalate itself, I was wondering if at least an admin could be told to add the app to all groups so it will have access to ALL projects. I don’t have a Forge App handy to test so I can’t check to see if Forge behaves like Connect.
You are right. I oversimplified my scenario a bit for the sake of keeping my previous response brief. To be clear, it is completely okay for the App to not have access to ALL projects/spaces, but only have access to those projects and spaces it is provided access to. The key is that I want it to have access to more projects and spaces than the logged in App user has access to.
Also, I am not insisting on the App having to elevate its access rights in runtime - it was a desperate workaround I was looking at because I did not find any other working solution.
Ideally, the App should be given the access to those projects and spaces by an admin. However, I currently see no solution to that.
I created a quick hello-world-app to demonstrate this, see a screenshot below.
As you see, on the Administration UI it is possible to set the scopes for the App, but it is not possible to change that it can only act on behalf of the logged in user (highlighted with yellow).
Following your recommendation, I looked all around on the Administration UI, but I found no way to add the App to any groups at all.
If you could provide any pointers on this matter, I’d really appreciate it!
For example, if you could provide a screenshot of how you do that with Connected Apps, then I could check if I can do the same with a Forge App.
Thanks for researching along with me. I confirm. Whatever I remember being possible with Connect Apps is no longer. I can only conclude that, currently, there is no way to escalate (or isolate) the privileges of an App. I’ll raise the feedback inside Atlassian.
