Calling my permissions api.asUser returns 403

I want to check the project permissions of current user using mypermission. But when I call this from backend in resolver.define using api.asUser, then I get 403 response status. Only if I call api.asApp I get a proper response, but then not for the currently logged in user. This worked in the past using api.asUser, but same code it does not work anymore. Only update forge CLI. I have defined permissions: scopes: read:permission:jira in the manifest.

{
  code: 403,
  message: ‘The app is not installed on this instance’
}

Any idea, why I get HTTP 403 response error for api.getUser(…mypermissions…)?

resolver.define('checkAdminPermission', async ({ payload, context }) => {
...
  // https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-permissions/#api-rest-api-3-mypermissions-get
  const response = await api.asUser().requestJira(route`/rest/api/3/mypermissions?projectId=${payload.projectId}&permissions=ADMINISTER_PROJECTS`, {
    headers: { 'Accept': 'application/json' }
  });
  
  const responseObject =  await response.json();
  
  console.log("Response", responseObject);
...    
}

Hi @Holger , are you able to provide me with a traceId for a request or your appId so that I can look into this a bit more?

See screenshot from developer console. One working fine asApp and the above one with 403 asUser.

Environment: Development

Invocation ID: 429fbbd4-3354-45c6-9828-039f9c3256b2

Trace ID: 1012a88b7e94456ba1668513e55884ac-f64d73a523e3f05d

Module: core:function

Function: resolver

Version: 7.23.0

Site: projectroletab-forge.atlassian.net

Product: Jira

Hi @Holger , I had a look at our logs and it seems like for some reason this API wants the classic scope (read:jira-work) and the granular scope that you provided seems to be rejected for 3LO/asUser requests. I can see that you have defined read:jira-work in the past, did you remove it?

Are you able to add read:jira-work to you manifest easily? It will cause a major version bump of your app though. I will follow up with the Jira team that owns the API tomorrow, but this might take some time to turn around as it’s likely that a good chunk of the team is on leave due to the holidays.

Thank you for looking into it! Could you check the permissions use for the current version 2.3.0 in production? Is this using different permissions in manifest? I cannot see this in the developer console.

Hi @Holger, it seems like this version has the same scopes defined as version 7.

Interestingly you can install 2.3.0 prod from Marketplace and use it without issue. So I wonder, is the permission scope really the problem.

Hi @Holger, from my end it looks like version 2.3.0 of your app makes API calls using asApp, which works with just the read:permission:jira scope.

Hello @BoZhang , did you had a change to discuss with API team? What do they found out regarding the problem with granular scopes?

Hi @Holger, apologies I did reach out earlier but we didn’t arrive at a conclusion, let me try pick this up again.

In the meantime can you please help me confirm if adding back the classic scope (read:jira-work ) to your manifest helps?

Hi @Holger, I tried reproducing this today in order to validate some theories that I had but it seems like I can’t reproduce it. Is it working for you now (without adding back the read:jira-work scope)?

Hello yes so when i had my first set up with atlassian i was suppose to be set up from my surface pro which i no longer have if you could just give me some advise on how to get my proper setup back if i have to pay again because i noticed they had me down as a enigneer developer this was never the case i was just starting development in mainly web app but not bulding software was not my specialty it only became a lot harder as i tried to contact anyone i would be bumped off and i believe this was happening because my accounts were compermised but i was the one to submit a bug report to andriod issue tracker many times i was contacting and trying to find my platform i found it was going to my daughters phone not mine and all my backups were going to the household she was living at what i could from the tracking issue in andriod i am just asking for some assistance to understanding how to fix this because this is not exactly what i had in mind as far as getting a platform inergraded with my work and my data that i had already was on atlassin and jira for my other projects that were already going can you please help to figure this out thank you …Because i am not sure how to get all my work back as i have tried with the cloud many times apple microsoft google cloud and now on a new device that doesnt have a error prone in my browser i tried to create a new account and was brought here so if i am interupting the software i appoligize but there was some files that i need back some personal and some work .thank you