Summary
We are looking to remove the requirement to declare read:app-system-token and read:app-user-token scopes in the manifest file when enabling OAuth for Forge Remote requests.
Problem
- These scopes create unnecessary repetition in the manifest, as they must always be defined when Forge Remote OAuth is enabled, but do not provide further functionality or information
read:app-system-tokenandread:app-user-tokendiffer from other scopes outlined in thepermissionssection of the manifest as they aren’t real OAuth scopes.
Proposed solution
When enabling OAuth in Forge Remote apps, the read:app-system-token and read:app-user-token scopes do not have to be defined in manifest.
remotes:
- key: remote-app-node
baseUrl: https://forge-remote-refapp-nodejs.services.atlassian.com
auth:
appSystemToken:
enabled: true
appUserToken:
enabled: true
operations:
- compute
## The following is now optional
permissions:
scopes:
- read:app-system-token
- read:app-user-token
Feedback
We’d be keen to hear your feedback on whether these are changes you’d like to see and if you can see any issues with this change.