Forge and OAuth in the same App

Hi, I’m a bit confused about how things are designed here at Atlassian.
Can a single app be as well a Forge app shown into the Atlassian products UI and an OAuth app that will allow users to grant access to their Jira account? It looks like it’s not doable in the Developer Console? If so, should we build 2 separate applications, one Forge for the UI and a second one to connect users with OAuth and allow us making Rest API calls from our backend?

Hi @JeanBaptisteArmanet ,

If you need to add to Jira UI, you’ll have to use Forge because OAuth 2.0 (3LO) apps don’t support extending product UIs. Can you clarify why you believe Forge on its own can’t meet the needs of your app development.

Regards,
Dugald

Hi @dmorrow , thanks,
I can describe our typical use: we build a browser-based screen recording app, so users signup for our product and can add an integration to their helpdesk like Jira Service Management.
We need to do 2 things:
The first is to display a few buttons into every Jira Issue (“Ask the user for a recording”, “Send a recording” etc.), that will insert recording links into their conversation. It will also display the last videos from this user if needed.
The second thing we need to do happens behind the scene, when a user records a video, once the video has been processed a few seconds later, we need to post it (not the video file itself but a screenshot and a link) into the conversation: that is where we need a REST access to the API, so our backend can post it at the right place in the conversation flow.

Does it help understand our use case?
And that is where I was wondering if we had to think it as 2 different apps, or if there was any trick to handle those 2 needs from the same app…

Hi @JeanBaptisteArmanet ,

Thanks for the explanation. I am hopeful Forge will support your needs. For the display of the buttons, your Forge app will have to declare a panel for display within the Jira UI. Since your UI is quite simple, you could use either UI kit (beta) or Custom UI. Developing it using UI kit will probably be simpler. For the second part where your app needs to post the the video info to Jira, your Forge app could define a webtrigger that your video recording backend invokes. The webtrigger can then do some kind of validation of the request and then call the Jira API to post the information. e.g. api.asApp().requestJira(...).

Here are a couple of relevant documentation links for the last part:

Hopefully this helps.

Regards,
Dugald

1 Like

Hi @dmorrow , sounds like it’s the right way to go indeed, thank you a lot for that tip :slight_smile: we’re still discovering Atlassian logic!

May I ask if the fetch api.asApp() can post a new comment into a Request? Sounds like there is no such endpoint in the doc: https://developer.atlassian.com/cloud/jira/service-desk/rest/api-group-request/#api-rest-servicedeskapi-request-get

Hi @JeanBaptisteArmanet

Forge apps should be able to create request comments using POST /rest/servicedeskapi/request/{issueIdOrKey}/comment using api.asApp(), however, note that the comment will appear as if it were made by your app.

Regards,
Dugald

Thanks a lot @dmorrow :+1:

Hi @JeanBaptisteArmanet ,

I just came across this topic which indicates there could be an issue at the moment relating to the invocation of the JSM REST API from Forge apps using api.asApp(). If you observe a similar issue, you may like to follow that topic to keep up to date.

Regards,
Dugald

Hi @dmorrow thanks for that tip.
About the topic of this question, I just discovered I could not display - yet - Forge apps for anonymous users Request forms. That means that I should make a Connect app.

So, the same question as before: would you have any good-practice to share with me about doing what I want to achieve with a Connect app? It’s about getting an API access from our backend to be able to post processed video links as a new comment into the requests?

Hi @JeanBaptisteArmanet ,

Connect is more mature and is likely to be a safer bet in the short term. With Connect, you could have the descriptor include the following so that your app can make user impersonation REST API calls from its backend without needing to have any direct user interaction in the context of the REST API call. This would allow the video processing to happen asynchronously, but with the comment appearing from the user that originally triggered the interaction. You would just have to pass around the account ID of the user to the asynchronous process where the API call is being made.

"authentication": {
    "type": "jwt"
  },
  "scopes": [
    "read",
    "write",
    "act_as_user"
  ]

See also:

Regards,
Dugald

Hi @dmorrow excellent, thanks, I think I’m seeing the light now! :slight_smile:
So, am I right to say that once the app will be loaded into the browser, the Connect app will be able to exchange the JWT for an OAuth Token, then my backend will be allowed to make REST calls with this OAuth token within the next 15 minutes (or any other expiry time)?
I think this will do the job for 99% of usecases… However as the doc raises a Token Expiration topic, we need to handle that case, but I don’t see any refresh-token in the docs, will there be an undocumented refresh-token? or do we need to ask for it at first Oauth access token request?

@JeanBaptisteArmanet If I understand what you want to achieve, it can be done quite simply:
Use https://bitbucket.org/atlassian/atlassian-connect-express/src/master/ , and read the README on " How to send a signed outbound HTTP request back to the host".

For posting, you’d probably don’t need the "act_as_user" scope, as posting the video link can be done by your app. You can reference the accountId of the user if necessary. In this way you use less scopes.

1 Like

Hi @marc thanks,
Okay I see, you may refer to the part where the httpClient is built with the clientKey → all I need to do then is to keep that clientKey in a safe place, ready to use when the backend will need it to make an asynchronous post to the Rest API. Right?
About this example, I understand that it works with a lot a wiring done behind the scene with the ACE toolkit for Node+Express. Is that possible to achieve the same results with PHP and Guzzle for example? (with more manual work obviously).

@JeanBaptisteArmanet The clientKey is provided as part of the install procedure of the addon. In principle you can use php for setting up the calls. I would look for an open source lib which supports php. I believe there are, but I have no experience with them.

1 Like