Forge apps can now access restricted resources

Hi everyone,

I’m pleased to announce that the bug fix for FRGE-212 has been released. With this change, the system user provisioned for your app will be given the appropriate permissions tied to the scopes defined in the permissions.scopes section of your app’s manifest.

How does the fix affect my app?

Forge apps

Your app will be able to make calls using the asApp() authentication to manage restricted content. For more information, please refer to this page as well as our public ticket.

Connect on Forge apps

Forge on Connect apps can now access restricted REST APIs using JWT authentication. Connect scopes need to be transformed by appending the scope with :connect-jira or :connect-confluence (e.g., WRITE becomes write:connect-confluence ). Refer to Migrate an App from Connect to Forge for more information.

What do I need to do?

The scopes won’t be synced automatically. There are several actions you can take to ensure the scopes and their associated permissions are being picked up, depending on the current state of your app.

Synching Forge apps with existing scopes

You’ll need to do a major version update (i.e., licensing, scope, or egress endpoints changes). The scope changes will take effect when the sites with your apps have installed the upgrade.

Synching Connect on Forge apps with existing scopes

Due to the changes in how we persist and send lifecycle hooks, we recommend that you do a complete reinstall of your app. Alternatively, if you’re not utilising an uninstall hook then a major version upgrade is sufficient.

New apps, or adding scopes to an existing app

Add the scopes to your manifest and deploy your app. The scopes will be synced with the next installation/upgrade.

Please reply to the thread with any questions or feedback.

14 Likes

Hi, we are implementing a forge app which make use of the scope manage:jira-configuration for creating atlassian groups. We still are getting 403 so maybe is there something to fix?

Using asUser works properly but not if asApp is used. See example:


const createdJiraGroupResponse = await api
        .asUser()
        .requestJira(route`/rest/api/3/group`, {
          method: "POST",
          headers: {
            accept: "application/json",
            "content-type": "application/json",
          },
          body: JSON.stringify({
            name: displayName,
          }),
        });

Any help will be appreciated.

1 Like

I’m looking into this. Will get back to you as soon as possible :slight_smile:

1 Like

Is the fix deployed in Forge CLI 2.0.6? Trying to get workflows with v3 REST API where I keep getting error 403 with asUser() and asApp().

return await api
        .asUser()
        .requestJira(
            route(`/rest/api/3/workflow/search`), {
            headers: {
                accept: "application/json",
                "content-type": "application/json",
            }
        });

In REST API v3 documentation, it says it requires the scope manage:jira-project. Permissions in manifest.yml are:

permissions:
  scopes:
    - 'read:jira-user'
    - 'read:jira-work'
    - 'manage:jira-project'
    - 'manage:jira-configuration'

I’ve tried elevating my user (myself) who is org admin by adding myself to groups administrators, jira-admins and site-admins. Nothing works. I still get error 403.

Calling other v3 end points work. For example, this works:

const meResponse = await api.asApp().requestJira(route`/rest/api/3/myself`);
    return(await meResponse.json()).accountId;

It doesn’t work if I install my Forge Custom UI in dev environment or if I do Forge tunnel.

Any help or feedback would be appreciated

Hi Louis,

I tried it with a test app and was able to get 200 with the asApp call.

Have you done a major version upgrade and install to trigger the changes? If you have, and it still doesn’t work then can you share your app ID for me to go look at the logs, please?

1 Like

Hi Cyn,

I’ve started with Forge and the Atlassian developer community about 4 days ago. I created my first Forge app on Monday so I would say that I didn’t do any version upgrade to trigger the changes.

My app id is 636427c5-e365-40b0-984f-6837b28672cc

I would be more than happy to provide you with any other kind of info that can help. For example, I’m having trouble when I do a forge install. It always complains with the following message:

Error: App with appId 636427c5-e365-40b0-984f-6837b28672cc and EnvironmentId 6d0fc8da-8c94-4221-8667-a66ec37e36e4 already installed with id e8170100-17fa-4c41-9726-a62ce608aa03 in context ari:cloud:jira::site/5901c7cf-383d-4205-81e6-08467b2e7731.

I always have to do forge uninstall first, which tells me this:

Error: Failed to uninstall the app from the development environment in Identity on xxxxxx.atlassian.net . Try rerunning the command, or ask for help if you continue to see this error.

Maybe something is wrong with my app in Forge and a side effect is the 403 error. But again, I can call other endpoints and it works.

I just checked the logs for your site and I can actually see the installs/uninstalls as well as the permissions granted to your app to project ID 10000 so it’s really odd that you aren’t able to invoke the endpoint.

Just to double-check, would you be able to go to settings > Connected Apps > View App Details and see what the permissions are in the Authorization tab, please?

For example, mine are like the screenshot

The scopes in my manifest:

permissions:
  scopes:
    - manage:jira-configuration
    - read:jira-work
    - manage:jira-project

As for the error message you received I’ll pass it along to the relevant team. Thanks for your patience :slight_smile:

Another hypothesis: Is it possible that you weren’t using asApp when calling the endpoint? The code example you provided is using asUser.

As for the problems during upgrade, did you use forge install --upgrade instead of just forge install? Bear in mind that upgrades can only be triggered when there is a major version change. Re-installing will yield the conflicting installation as seen from the example you provided.

I tried to follow the route Settings -> Connected Apps -> View App Details but I couldn’t find such a route from my Atlassian root URL. For example, I’m developing and deploying my Forge app on akpa.atlassian.net. If I go to this URL and click the Settings icon in the top right corner, I have a menu item that says Apps. If I click on Apps, I can click on another menu item on the left that says Manage Apps. In this area, I can simply uninstall my app.

If I go at my profile (Atlassian account), there is a Connected Apps menu item to the left. I then see my app, PaceMkr, with a list of permissions that I can see when I click on a drop-down arrow. I’ve taken the following screenshot of its permissions:

Looking at the permissions, it seems PaceMkr could read workflows. But I’ve got a feeling I’m not looking at the right place. The permissions I’m seeing are not the same as yours.

The permissions in my manifest.yml are the same as yours with two small differences:

  1. They are not in the same order. Could that be a problem?
  2. Mine have single quotes around each permission. Could that be a problem?

Later today, I’ll put my permissions in the same as yours and remove the single quotes. Who knows!

Another interesting fact, when I do forge install, it always prints this in the command line

Your app will be installed with the following scopes:
- read:jira-user

I was wondering if this is a default setting for security reasons. Or should I see the same permissions from my manifest.yml file be displayed here? When I try to access my Forge Custom UI app for the first time, it always asks me to allow access to the app to my Jira project.

Good point about asUser in my initial code example. I did try both but I’ll double-check to make sure. Maybe it was me all along who was just not putting asApp.

As for the forge install --upgrade command, I’ve never tried it as it wasn’t mentioned in the tutorials (remember, I’m doing this for 5 days now). How do I change a major (or minor) version number in a Forge Custom UI app? I’m coming from the Node world where this is easy to do in package.json. Do I do it in manifest.yml? There wasn’t any version field in it when I create my app so I’m guessing it’s elsewhere.

Finally, thank you for being so quick to respond and help me troubleshoot my new Forge Custom UI app.

Louis-Philippe

I tried again by simply changing the orders of my permissions in my manifest.yml file.

I then did forge deploy followed by forge install --upgrade and I was able to get a status 200 with the REST API call

const response = await api.asApp().requestJira(route`/rest/api/3/workflow/search`, {
  headers: {
    'Accept': 'application/json'
  }
});

What was weird is that I didn’t get any workflows for my Scrum project. As I had a default board, I checked and there was a workflow. But the call above returned nothing. I did try asUser and asApp.

I tried with an older API version to get the board only without the workflow and I got a status 403.

    const response = await api
        .asUser()
        .requestJira(
            route(`/rest/agile/1.0/board?projectKeyOrId={$projectKey}`), {
            headers: {
                accept: "application/json",
                "content-type": "application/json",
            }
        });

When I do forge deploy, I’m under the impression my minor version gets incremented automatically. Is that right? When I do a forge install --upgrade, I always get the following error message in red in the console:

Error: The latest version of the app is already installed on the site: {version: 8.9.0, isLatest: true}

I’m kind of wondering if forge deploy is enough when we do minor versions. Any guidance on this would be appreciated?

So I think my initial question was solved but I don’t really know how it got solved.

If you have insights @Cyn on howcome I don’t get any workflows back from my call above, I would appreciate it. I’m trying to get the list of boards linked to the project my Forge Custom UI app is currently in. In the v3 Jira REST API, it seems the way to go is through the workflows which contain the boards. Would you know which endpoint to call to get those?

Louis-Philippe

So I’m playing along with my code and I finally managed to get /rest/api/3/workflow/search to work. I did not change the permissions in manifest.yml and I did not do forge deploy and forge install --update.

I got my workflow returned only when I used asUser. If I use asApp, I got this message when running forge tunnel (I took a screenshot)

So I’m back at square one I guess. The title of this post was that Forge apps can access restricted resources. Not for me when I use asApp.

Hi @LouisPhilippeCarigna ,

I’m kind of wondering if forge deploy is enough when we do minor versions.

Yes, that’s enough.

In the second last message you say you got a 200 but without the expected workflow, but in the last message you say it was a 403 when you used asApp. What was different between those two? I reckon the best next step would be get back to the point where you were getting a 200 with asApp and proceed from there - perhaps there’s something about your scrum project that means the workflow is stored and retrieved elsewhere. If you create a couple more test projects of different types (e.g. company managed, workflow, etc), can you see their workflows?

1 Like

Hi @jhazelwood,

Thank you for your feedback about just doing forge deploy for minor version.

The 403 was in regards to the call /rest/agile/1.0/board?projectKeyOrId={$projectKey} which is a Jira v1 REST endpoint. After searching the Forge documentation, this page says:

Jira Cloud REST API version 2 is not supported by the forge lint command. Only /rest/api/3 paths are supported.

So I’m assuming I got a 403 on a v1 REST endpoint because it’s not supported inside of Forge. Would it be possible to confirm this?

I’ve tried calling a few v3 REST endpoints with asApp to see if I was having an issue with more than one endpoint.

Get workflows paginated

  • Endpoint: /rest/api/3/workflow/search
  • Permission required: manage:jira-project
  • Message returned: {"errorMessages":["Only Jira administrators can access workflows."],"errors":{}}

Get workflow schemes

  • Endpoint: /rest/api/3/workflowscheme
  • Message returned: "errorMessages":["Only Jira administrators can access workflow scheme associations.

I called a few endpoints requiring permission read:jira-work with asApp to see if they worked. Here are the calls that worked with asApp:

  • /rest/api/3/project/${projectKey}/features
  • rest/api/3/project/${projectKey}
  • /rest/api/3/status
  • /rest/api/3/myself

Maybe at the end of the day, I don’t need to search workflows.

My objective is to get the column names and their statuses from v3 of the REST API. I can do it with v1 REST API endpoint rest/agile/1.0/board?projectKeyOrId={$projectKey}. As I mentioned at the beginning of this message, I’m under the impression v1 REST API is not callable inside of Forge. If that is the case, how would I get the boards linked to a project and its columns?

I’ve spent quite some time searching the v3 REST documentation to figure out where the column names and statuses were hidden. By searching the workflows, I was under the assumption I could get its statuses and the columns. Maybe I’m wasting my time (and yours) trying a route that won’t sole my problem.

1 Like

Hi @LouisPhilippeCarigna ,

Firstly, you query about the Jira Software APIs:

So I’m assuming I got a 403 on a v1 REST endpoint because it’s not supported inside of Forge. Would it be possible to confirm this?

That’s right, but we’re working on it. See this public forge ticket.

Secondly, regarding your 403s from /rest/api/3/workflow/search. I’ve investigated this and in my tests, I found the following:

  1. If you create an app with manage:jira-project you get Only Jira administrators can access workflows.
  2. If you add manage:jira-configuration and upgrade the installation you still get Only Jira administrators can access workflows.
  3. If you create a fresh app with manage:jira-project and manage:jira-configuration you get the data back.

I believe 1. and 2. are two separate bugs, and I will make sure we’re tracking them.

Hopefully 3. might serve a workaround? Would you be able to try installing the app on a fresh site, or re-creating it using forge register and then re-installing? Hopefully that will enable your app to access the workflows via asApp then.

Apologies again that it’s taken a while to get to this point. I hope these findings help you out.

1 Like

Hi @jhazelwood,

Thank you so much for all the info in your reply and for investigating my problem with /rest/api/3/workflow/search.

I’ll try option 3 as suggested later today and let you know how it works.

As for v1 and v2 REST API not accessible in Forge apps, I’ve looked at the public forge ticket and it seems to be promised for the end of the month. I’ll cross my fingers it doesn’t get pushed back

While I’m waiting for this release, is there an alternative to fetch the board column names and their statuses in v3 REST API?

Louis-Philippe

I don’t think there’s an alternative for that information, sorry. It’s pretty specific to Jira Software.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.