Cannot get cloudid for site while implementing OAuth 2.0

I’m implementing OAuth 2.0. In first step I get the access code in my callback url and using that access code I get the access_token in step 2. Now in step 3 " Get the cloudid for your site", I’m passing the access_token but in response I’m getting 200 OK with empty response. Now sure what’s missing. Please help me out.

Thanks

Hi @MikeDev ,

I’m not sure why you’re getting an empty response. I just ran a test and was receiving back content when calling the https://api.atlassian.com/oauth/token/accessible-resources endpoint.

Are you actually getting an empty response or is the response {} which would mean the app is not privileged to access any sites, possibly because the grant has been revoked. Maybe try going back to the step of getting the authorization code, getting new tokens and then retrying the accessible resources endpoint again.

Are you able to provide any additional details.

Regards,
Dugald

I’m getting response { }. You said above this would me an that the app is not privileged to access any sites.

My question is that app should be JIRA App Only (Jira Cloud, Jira Server, etc…) ?

Actually I’m trying to implement JIRA OAuth 2.0 in my web application (Not a JIRA APP), so that JIRA cloud site user can login to my web application without creating user account. If I’m doing anything wrong please correct me.

Thanks

To clarify, the guide at https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/ relates to calling the Jira REST API using OAuth 2.0 (3LO) authentication.

When I said:

the app is not privileged to access any sites

I meant any Jira sites - not your site (or web application).

Are you are doing the following:

  1. Create a 3LO grant for the user by directing them to https://auth.atlassian.com/authorize?audience=
  2. Check the above flow results in an authorization code being returned (assuming the user proceeds through the flow, selecting a Jira site and granting the app permission).
  3. Get a refresh token and access token by sending a POST request to https://auth.atlassian.com/oauth/token with the authorization code received above.
  4. Get the cloud ID by sending a GET request to https://api.atlassian.com/oauth/token/accessible-resources (with the access token for auth)

Regards,
Dugald

Yes I’m following the above steps as you mentioned.

Let me explain what I’m doing so that you will get more clear idea about my situation. I’ve web application and I’ve created JIRA Connect App. That connect app uses JIRA cloud API and my web application api to perform some functionality which my web application offers. Now I want that users of JIRA cloud site which has installed the connect app can also directly access my web application using JIRA OAuth 2.0. For that I’m trying to implement below flow.

@dmorrow Hello, did you get any chance to see my above reply. I’m kinda stuck, need direction.

Thanks

Hi @MikeDev ,

Your diagram looks like the authorization code grant flow, but your “Login with Jira” step should probably be renamed to something like “Authorize app” since it will take the user through a flow that gets their authorization for your app to make REST API calls using OAuth 2.0 authorization to a Jira tenant that the user selects within the flow.

Your diagram also omits the call to the Authorization server to get the tenants (Cloud IDs) that the user has granted the app access to. From your first query, this is the call that is returning {} rather than a JSON structure containing the Cloud IDs that you need in order to construct URLs to invoke the Jira API.

If this is what you are doing, then I don’t understand why the call to get the Cloud IDs is empty.

I am hoping that my explanation above might help align us and identify what’s going wrong. Alternatively, is it possible for you to provide a very simple version of your code that reproduces the problem in the form of a Glitch App (glitch.com).

Regards,
Dugald

Hello @dmorrow,

I’m making call to authorization server to get tenants (Cloud IDs). Under developer console I opened my OAuth 2.0 Integration that I have created before. For that integration under ‘Authorization’ option I can see 3 ‘authorization URLs’

  1. User identity API authorization URL with scope=read:me read:account

  2. Jira Service Management API authorization URL with scope=read:servicedesk-request manage:servicedesk-customer write:servicedesk-request read:servicemanagement-insight-objects

  3. Jira platform REST API authorization URL with scope=read:jira-user read:jira-work manage:jira-project manage:jira-configuration write:jira-work manage:jira-webhook manage:jira-data-provider

So today I tired all three urls and in return I only got response from 3rd url, I got tenant (Cloud ID) that the user has granted the app access. Initially I was using 1st url for authorization that’s where I’m getting empty response { }. So if I’m right then I have to use third authorization url for my OAuth scenario?

Thanks

Hi @MikeDev ,

Regarding the 3 authorization URLs you are seeing, the only difference between them are the scopes (i.e. scope query parameter value).

The Identity API is not bound to a site so only including the identity scopes will not result in any sites being returned when calling https://api.atlassian.com/oauth/token/accessible-resources.

Presumably, the authorization URL containing the Jira Platform scopes returned a cloud ID because when you consented to the app, you selected a site which included Jira Platform.

However, I’m not sure why the Jira Service Management authorization URL did not lead to any sites being returned when calling https://api.atlassian.com/oauth/token/accessible-resources. When you consent to the app, the site selection dropdown should contain sites that contain products that use at least some of the scopes in the authorization URL so after selecting one and finishing the consent flow, the call to .../accessible-resources should have returned the site.

Regards,
Dugald

Hello @dmorrow,

First of all I have to thank you for the help you have provided so far for all my queries.

When I’m trying Jira Service Management authorization URL I’m getting the error “You don’t have an Atlassian Jira Service Management site to connect”

I have one query, can we create and manage OAuth 2.0 integrations through API instead of using developer console interface?

Thanks

Hi @MikeDev ,

First of all I have to thank you for the help you have provided so far for all my queries.

Happy to help :slight_smile:

When I’m trying Jira Service Management authorization URL I’m getting the error “You don’t have an Atlassian Jira Service Management site to connect”

You might like to create a new site that includes Jira Service Management by visiting https://go.atlassian.com/cloud-dev.

I have one query, can we create and manage OAuth 2.0 integrations through API instead of using developer console interface?

There’s no API that allows OAuth 2.0 (3LO) apps to be created or permissions added to them - this must be done via the Dev Console UI. The exception to this, however, is the section of the UI within the “Authorization” tab, titled “Authorization URL generator”, since the URLs it provides can be programmatically built by your app.

Regards,
Dugald