Forge app stuck in configure access loop

Hi,

Have been developing a globalPage app since November last year.
This morning I got stuck in a problem where I cannot get passed the “Configure access” request. It basically looks like this:

  1. I try opening the app and get the prompt to “configure access”
  2. I click the “Configure access” but and a new tab opens but shortly after, the app is “reloaded” on that tab and again prompts to “Configure access”.
    If I run “forge tunnel” I can see in the following in the backend log:
invocation: ac7435aa7dc9b60e index.handler
INFO    16:18:31.337  ac7435aa7dc9b60e  getServerInfo
ERROR   16:18:31.339  ac7435aa7dc9b60e  getDataFromJira error, url {
  message: 'Authentication required',
  name: 'NEEDS_AUTHENTICATION_ERR',
  status: 401,
  serviceKey: 'atlassian-token-service-key'
} /rest/api/3/serverInfo
ERROR   16:18:31.339  ac7435aa7dc9b60e  [NEEDS_AUTHENTICATION_ERR: Authentication required] {
  serviceKey: 'atlassian-token-service-key'

Which indicates that I really need to “configure access” - but I cannot find any way to do that since the app “loops” back to “configure access” all over again and again.

I’ve tried with both the slightly old Forge 2.1.0 and the new 3.0.0. Same problem.
So need help! Ideas anyone?

Thanks,
Fredrik

Hi @freatt, thank you for reaching out.
How did you implement Jira request? Are you using asApp()/asUser() request? Did you follow this guide?
https://developer.atlassian.com/platform/forge/runtime-reference/product-fetch-api/
Please have in mind that there is a need to set up permissions scope in your manifest:
https://developer.atlassian.com/platform/forge/manifest-reference/permissions/
Hope it helps, best regards.

Hi,

We’re using asUser() and are following the guides.
Using the following scopes:

  scopes:
    - storage:app

Please note - this has been working just fine for months, it is just now that we no longer can deploy this freshly. I did a cleanup on my Jira cloud instance and tried registering and deploying from scratch and can no longer get the app authorized. My colleague kept using the same just fine on his dev site.

So I did some testing. Creating a fresh global page app calling Jira “asUser” to get some issue data and I noticed that it requests authorization with a slightly different “prompt” - see this screenshot.

Note how to top part shows the “prompt” which if I click it takes me into a loop, while to bottom part shows the prompt that if I click it takes me to a proper authorization page which works.

Thanks,
Fredrik

This resembles a similar problem that we see with external-auth: OAuth2 authorization flow no longer working

A macro that requires credentials:

Opens an auth window with the exact same:

1 Like

Hi @freatt and @g.j.streek, we noticed problems with authentication in Forge. I requested the relevant team to resolve this issue. Thank you for reporting it.

Hi @AdamSuchcicki

After a couple of days struggling getting our app deployed, installed and the access accepted I was finally able to do it.

By re-adding this following in the manifest.yml I’m not able to get the correct “Allow Access” prompt again:

  scopes:
    - read:jira-work

forge lint complains about this:

24:6    warning  There are deprecated scopes 'scopes' in the manifest.yml file: 'read:jira-work'. You need to update this app to use new scopes and remove the deprecated scopes. Learn more at: https://go.atlassian.com/forge-permissions.  valid-permissions-required

⚠ 1 issue (0 errors, 1 warning)
  Issue found is not automatically fixable with forge lint.

On https://go.atlassian.com/forge-permissions this scope is listed:

read:jira-work	Read project and issue data, and search for issues and objects associated with issues, such as attachments and worklogs.

So is forge lint broken?
Clearly, the scope is required to allow read access to Jira issues etc…
Also, the thing with the old “Configure Access” prompt is a bug.

Do you have an FRGE issue for this or should I create one?

Thanks,
Fredrik

He @freatt
One of our teams is working to release granular scopes as soon as they can so that warning becomes relevant but for now that scope is still valid.

For more information

Hi @freatt just wanted to note for yourself or anyone else encountering the “configure access” prompt that we’re tracking this issue internally and hope to have a fix soon. In the mean time, another workaround for this issue should be to manually revoke access to the app from the user’s Connected Apps page.

Hi @ChrisWilliams What exactly is the “connected apps” page and how would I revoke the access?
Are you referring to “Apps > Manager Your Apps” or something else?
This is a Forge app - not built with “Connect”.

The problem was that the app never got the access accepted - it got stuck in that loop…
Anyhow, by going back to the old scopes (as discussed above) I’ve been able to get the app “accepted” and on with development …

Thanks,
Fredrik

The “Connected Apps” page referenced is under User Icon > Account settings > Connected Apps
https://id.atlassian.com/manage-profile/apps

1 Like

Thanks for the pointer @TOrionWilmerding

Interestingly a very anonymous list of “Connected Apps”…

By the timestamps I can make educated guesses but would be nice if there is a way of showing an application name? Or did I miss some setting in e.g. the manifest for the Forge app(s)?

Thanks,
Fredrik

@freatt looks like we’re in the same boat :slight_smile:
Not sure knowing which connection is which because I’m not sure what revoking the connection is supposed to do.
I still was stuck in the refresh page on attempted Configure Access loop even after going scorched earth and revoking all “Atlassian third party account access”, removing and reinstalling the app.

Apologies for the confusion @freatt and @TOrionWilmerding - Connected Apps under the account settings as @TOrionWilmerding linked is the page I was referring to. Revoking all accounts should be safe as the apps in question should request access again next time you use them.

If it’s still stuck in a loop, I would suggest updating Forge CLI to the latest version npm install -g @forge/cli@latest (as of today, 4.0.0 is the latest) and running forge lint --fix which should bring in the new required scopes instead of the ones to be deprecated. You may need to revoke access again to get it to work.

In the mean time, we’ve identified a fix which we should be rolling out shortly. This should remove the need to revoke access. Apologies for the delay on this.

The fix is now rolled out. We expect the issue to be fixed without the above quick fix.

If anyone is still facing this issue please let us know.

Hi,

I’ve upgraded to forge 4.0.0.
Our app works fine, but we still get the warnings about the deprecated scopes and running forge lint --fix does nothing, which is expected given that the warning states that…:

24:6    warning  There are deprecated scopes 'scopes' in the manifest.yml file: 'read:jira-work, read:jira-user'. You need to update this app to use new scopes and remove the deprecated scopes. Learn more at: https://go.atlassian.com/forge-permissions.  valid-permissions-required

⚠ 1 issue (0 errors, 1 warning)
  Issue found is not automatically fixable with forge lint.

Thanks,
Fredrik

great. much appreciate.