Forge apps can now access restricted resources

Hi everyone,

I’m pleased to announce that the bug fix for FRGE-212 has been released. With this change, the system user provisioned for your app will be given the appropriate permissions tied to the scopes defined in the permissions.scopes section of your app’s manifest.

How does the fix affect my app?

Forge apps

Your app will be able to make calls using the asApp() authentication to manage restricted content. For more information, please refer to this page as well as our public ticket.

Connect on Forge apps

Forge on Connect apps can now access restricted REST APIs using JWT authentication. Connect scopes need to be transformed by appending the scope with :connect-jira or :connect-confluence (e.g., WRITE becomes write:connect-confluence ). Refer to Migrate an App from Connect to Forge for more information.

What do I need to do?

The scopes won’t be synced automatically. There are several actions you can take to ensure the scopes and their associated permissions are being picked up, depending on the current state of your app.

Synching Forge apps with existing scopes

You’ll need to do a major version update (i.e., licensing, scope, or egress endpoints changes). The scope changes will take effect when the sites with your apps have installed the upgrade.

Synching Connect on Forge apps with existing scopes

Due to the changes in how we persist and send lifecycle hooks, we recommend that you do a complete reinstall of your app. Alternatively, if you’re not utilising an uninstall hook then a major version upgrade is sufficient.

New apps, or adding scopes to an existing app

Add the scopes to your manifest and deploy your app. The scopes will be synced with the next installation/upgrade.

Please reply to the thread with any questions or feedback.

13 Likes

Hi, we are implementing a forge app which make use of the scope manage:jira-configuration for creating atlassian groups. We still are getting 403 so maybe is there something to fix?

Using asUser works properly but not if asApp is used. See example:


const createdJiraGroupResponse = await api
        .asUser()
        .requestJira(route`/rest/api/3/group`, {
          method: "POST",
          headers: {
            accept: "application/json",
            "content-type": "application/json",
          },
          body: JSON.stringify({
            name: displayName,
          }),
        });

Any help will be appreciated.

1 Like

I’m looking into this. Will get back to you as soon as possible :slight_smile:

Is the fix deployed in Forge CLI 2.0.6? Trying to get workflows with v3 REST API where I keep getting error 403 with asUser() and asApp().

return await api
        .asUser()
        .requestJira(
            route(`/rest/api/3/workflow/search`), {
            headers: {
                accept: "application/json",
                "content-type": "application/json",
            }
        });

In REST API v3 documentation, it says it requires the scope manage:jira-project. Permissions in manifest.yml are:

permissions:
  scopes:
    - 'read:jira-user'
    - 'read:jira-work'
    - 'manage:jira-project'
    - 'manage:jira-configuration'

I’ve tried elevating my user (myself) who is org admin by adding myself to groups administrators, jira-admins and site-admins. Nothing works. I still get error 403.

Calling other v3 end points work. For example, this works:

const meResponse = await api.asApp().requestJira(route`/rest/api/3/myself`);
    return(await meResponse.json()).accountId;

It doesn’t work if I install my Forge Custom UI in dev environment or if I do Forge tunnel.

Any help or feedback would be appreciated

Hi Louis,

I tried it with a test app and was able to get 200 with the asApp call.

Have you done a major version upgrade and install to trigger the changes? If you have, and it still doesn’t work then can you share your app ID for me to go look at the logs, please?

1 Like

Hi Cyn,

I’ve started with Forge and the Atlassian developer community about 4 days ago. I created my first Forge app on Monday so I would say that I didn’t do any version upgrade to trigger the changes.

My app id is 636427c5-e365-40b0-984f-6837b28672cc

I would be more than happy to provide you with any other kind of info that can help. For example, I’m having trouble when I do a forge install. It always complains with the following message:

Error: App with appId 636427c5-e365-40b0-984f-6837b28672cc and EnvironmentId 6d0fc8da-8c94-4221-8667-a66ec37e36e4 already installed with id e8170100-17fa-4c41-9726-a62ce608aa03 in context ari:cloud:jira::site/5901c7cf-383d-4205-81e6-08467b2e7731.

I always have to do forge uninstall first, which tells me this:

Error: Failed to uninstall the app from the development environment in Identity on xxxxxx.atlassian.net . Try rerunning the command, or ask for help if you continue to see this error.

Maybe something is wrong with my app in Forge and a side effect is the 403 error. But again, I can call other endpoints and it works.

I just checked the logs for your site and I can actually see the installs/uninstalls as well as the permissions granted to your app to project ID 10000 so it’s really odd that you aren’t able to invoke the endpoint.

Just to double-check, would you be able to go to settings > Connected Apps > View App Details and see what the permissions are in the Authorization tab, please?

For example, mine are like the screenshot

The scopes in my manifest:

permissions:
  scopes:
    - manage:jira-configuration
    - read:jira-work
    - manage:jira-project

As for the error message you received I’ll pass it along to the relevant team. Thanks for your patience :slight_smile:

Another hypothesis: Is it possible that you weren’t using asApp when calling the endpoint? The code example you provided is using asUser.

As for the problems during upgrade, did you use forge install --upgrade instead of just forge install? Bear in mind that upgrades can only be triggered when there is a major version change. Re-installing will yield the conflicting installation as seen from the example you provided.

I tried to follow the route Settings -> Connected Apps -> View App Details but I couldn’t find such a route from my Atlassian root URL. For example, I’m developing and deploying my Forge app on akpa.atlassian.net. If I go to this URL and click the Settings icon in the top right corner, I have a menu item that says Apps. If I click on Apps, I can click on another menu item on the left that says Manage Apps. In this area, I can simply uninstall my app.

If I go at my profile (Atlassian account), there is a Connected Apps menu item to the left. I then see my app, PaceMkr, with a list of permissions that I can see when I click on a drop-down arrow. I’ve taken the following screenshot of its permissions:

Looking at the permissions, it seems PaceMkr could read workflows. But I’ve got a feeling I’m not looking at the right place. The permissions I’m seeing are not the same as yours.

The permissions in my manifest.yml are the same as yours with two small differences:

  1. They are not in the same order. Could that be a problem?
  2. Mine have single quotes around each permission. Could that be a problem?

Later today, I’ll put my permissions in the same as yours and remove the single quotes. Who knows!

Another interesting fact, when I do forge install, it always prints this in the command line

Your app will be installed with the following scopes:
- read:jira-user

I was wondering if this is a default setting for security reasons. Or should I see the same permissions from my manifest.yml file be displayed here? When I try to access my Forge Custom UI app for the first time, it always asks me to allow access to the app to my Jira project.

Good point about asUser in my initial code example. I did try both but I’ll double-check to make sure. Maybe it was me all along who was just not putting asApp.

As for the forge install --upgrade command, I’ve never tried it as it wasn’t mentioned in the tutorials (remember, I’m doing this for 5 days now). How do I change a major (or minor) version number in a Forge Custom UI app? I’m coming from the Node world where this is easy to do in package.json. Do I do it in manifest.yml? There wasn’t any version field in it when I create my app so I’m guessing it’s elsewhere.

Finally, thank you for being so quick to respond and help me troubleshoot my new Forge Custom UI app.

Louis-Philippe

I tried again by simply changing the orders of my permissions in my manifest.yml file.

I then did forge deploy followed by forge install --upgrade and I was able to get a status 200 with the REST API call

const response = await api.asApp().requestJira(route`/rest/api/3/workflow/search`, {
  headers: {
    'Accept': 'application/json'
  }
});

What was weird is that I didn’t get any workflows for my Scrum project. As I had a default board, I checked and there was a workflow. But the call above returned nothing. I did try asUser and asApp.

I tried with an older API version to get the board only without the workflow and I got a status 403.

    const response = await api
        .asUser()
        .requestJira(
            route(`/rest/agile/1.0/board?projectKeyOrId={$projectKey}`), {
            headers: {
                accept: "application/json",
                "content-type": "application/json",
            }
        });

When I do forge deploy, I’m under the impression my minor version gets incremented automatically. Is that right? When I do a forge install --upgrade, I always get the following error message in red in the console:

Error: The latest version of the app is already installed on the site: {version: 8.9.0, isLatest: true}

I’m kind of wondering if forge deploy is enough when we do minor versions. Any guidance on this would be appreciated?

So I think my initial question was solved but I don’t really know how it got solved.

If you have insights @Cyn on howcome I don’t get any workflows back from my call above, I would appreciate it. I’m trying to get the list of boards linked to the project my Forge Custom UI app is currently in. In the v3 Jira REST API, it seems the way to go is through the workflows which contain the boards. Would you know which endpoint to call to get those?

Louis-Philippe

So I’m playing along with my code and I finally managed to get /rest/api/3/workflow/search to work. I did not change the permissions in manifest.yml and I did not do forge deploy and forge install --update.

I got my workflow returned only when I used asUser. If I use asApp, I got this message when running forge tunnel (I took a screenshot)

So I’m back at square one I guess. The title of this post was that Forge apps can access restricted resources. Not for me when I use asApp.