Creating a JSM issue in a Forge Confluence macro?

I’ve got a Forge app that is a Confluence Macro. As part of the macro, I’m trying to create a JSM issue using the api.asApp()requestJira call. I keep getting 403 ‘Forbidden’ errors. Is it possible to create a JSM issue from a confluence macro? This seems like it should be pretty straight-forward. Here are my manifest.yml scopes:

  scopes:
    - manage:jira-configuration
    - write:jira-work
    - read:jira-work

and my forge code to create the issue (which works great in postman). I also printed out the json body, copied it into postman and that worked also:

const createJiraIssue = async () => {
    const requestBody = {
      fields: {
        project: {
          key: "EIP2"
        },
        summary: "Test incident from postman",
        description: "test",
        issuetype: {
          id: "10002",
          name: "[System] Incident"
        }
      }
    };
    console.error('Request body:',  JSON.stringify(requestBody));
    const response = await api.asApp().requestJira(route`/rest/api/3/issue`, {
      method: 'POST',
      headers: {
        'Accept': 'application/json',
        'Content-Type': 'application/json'
      },
      body: JSON.stringify(requestBody)
    });

    if (!response.ok) {
      console.error('Error creating issue:', response.status, response.statusText, response.errorMessages, response);
      return;
    }

    const data = await response.json();
    return {
      id: data.id, // Issue ID
      key: data.key // Issue Key
    };
  };

Maybe you are running into this thing.
Jira Premium Allowlist blocking forge apps:

https://jira.atlassian.com/browse/ACCESS-1442

I do not have the IP allowlists turned on for the site I am developing in. It is, however, a premium site, so the option is there.

I can’t explain your specific error but the guidance about cross-product apps reads:

The Forge platform lets developers build apps that are compatible with multiple products.

However, the Marketplace doesn’t currently support cross-product apps. If your app is compatible with multiple products, you’ll need to create two Forge apps using the same code base, and publish two separate listings on the Marketplace. Note, Forge apps listed on the Marketplace aren’t able to make API calls across different products and instances/installations.

Does Marketplace apply in your case?

Marketplace does not apply in this case. I’m in a development environment in Forge.

I’m able to call the Jira REST API directly from my confluence macro, so that works, I just can’t seem to use the requestJira route call.

@EricKruegerStrataCom,

Ah, I think I know the problem. When you install the app into Confluence, in effect, you have performed an OAuth grant and obtained permission to access Confluence. Even if you have the Jira scopes there, the grant only applies to Confluence; hence, the 403. I think you can also install into the app into Jira, and then have the correct permissions to use requestJira. It’s this “dual install” trick that Marketplace cannot perform.

Ah, I see! Let me give that a try. Too bad about the marketplace, this is an app I’m putting in a confluence macro to integrate with a chat provider. One of the requirements is to create a JSM incident, then pass that incident number over to the provider so that the chat history can be pulled in later. It also records the chat instantiation with the Help Desk. So the only reason I need to publish against Confluence is because it’s referenced inside of a Knowledge Article and the macro is inserted into the Article. This way, they can insert that macro into any KB article that might benefit from a Chat with the Help Desk. I’m not super-familiar with Confluence macros, can a confluence macro call a marketplace app? If so, that might be a good work-around for this issue.

@EricKruegerStrataCom,

Yes, the usage scenario certainly makes sense. A Confluence macro can be a Marketplace app, and a JSM app (even if used only to obtain permissions) can be a Marketplace app also. Hence, the “suggested solution”:

If your app is compatible with multiple products, you’ll need to create two Forge apps using the same code base, and publish two separate listings on the Marketplace.

Even though this possibility exists, you would need to make sure the app has really strong error handling and messaging so that end-users who hit the same problem would be aware their admin must perform 2 installs, not just 1. In short, the user experience for activation is still quite tricky to manage.

Yeah, publishing to both worked. I was a little confused about having ‘two apps’ in the marketplace. The 2nd one is just to get the app permissions scope correct, tying it to Jira instead of Confluence. Good to know in case I want to take this one to the marketplace eventually. Is there anything on the roadmap to address the publishing across multiple apps issue?

Nothing that I can see currently on the Forge roadmap.

What about GraphQL. Will a cross platform query fail if made against the GraphQL endpoint?

@ryan,

To my knowledge, the problem exists in the scopes that are granted by the act of installing a Forge app. For example, an app installed into Jira will only grant Jira scopes, not Confluence ones. And vice versa. So regardless of REST API or GraphQL, the app does not have permissions to access the resources of another product.

I don’t have a good way to confirm this myself but, going by the documentation, the aren’t any exceptions for GraphQL:

Running the forge install command only installs your app onto the selected product. To install onto multiple products, repeat these steps again, selecting another product each time. Note that the Atlassian Marketplace does not support cross-product apps yet.

You must run forge deploy before running forge install in any of the Forge environments.