Forge External Authentication and Azure API

Hi everyone,
I’m trying to implement external calls from the Forge plugin to Azure Active Directory using oauth2. I have registered a new client within Azure AD and got the client ID and the client secret, and added the redirect URI ‘’. I have set the client ID in the providers.auth section of the manifest.yml file and set the client secret by running ‘forge providers configure’ command in CLI.

Here’ s my manifest file:

    - key: temporary-development-webtrigger
      function: main
    - key: main
          - azure
  id: ari:cloud:ecosystem::app/0a4b3acc-6bb2-42e3-8053-d6e4d7357e7f
    - key: azure
      name: MSAzure
        - openid
        - profile
        - email
      type: oauth2
      clientId: myClientID
        - azure-login
        - azure-graph
      bearerMethod: authorization-header
          remote: azure-login
          path: /myTenantID/oauth2/v2.0/authorize
          remote: azure-login
          path: /myTenantID/oauth2/v2.0/token
          remote: azure-graph
          path: /oidc/userinfo
            id: sub
            displayName: email
  - key: azure-login
  - key: azure-graph
    - read:user:jira
    - read:application-role:jira
    - read:avatar:jira
    - read:group:jira
        - ''
        - ''

here’s my API call:

 const azure = api.asUser().withProvider('azure', 'azure-login')

    console.log('azure.hasCredentials() = ' + await azure.hasCredentials());
    if (!await azure.hasCredentials()) {
        await azure.requestCredentials()

I’ve tried a lot of different settings and I’m still getting such an error:

INFO    2022-05-19T09:23:32.754Z 155cf041-80f1-4f5b-a1d1-2a85b4e0c5c2 azure.hasCredentials() = false
ERROR   2022-05-19T09:23:32.756Z 155cf041-80f1-4f5b-a1d1-2a85b4e0c5c2 {
  message: 'Authentication required',
  stack: ''

I also can get a list of Azure endpoints and some settings, that could be useful from this URL - ‘’ :

  "token_endpoint": "",
  "token_endpoint_auth_methods_supported": [
  "jwks_uri": "",
  "response_modes_supported": [
  "subject_types_supported": [
  "id_token_signing_alg_values_supported": [
  "response_types_supported": [
    "code id_token",
    "id_token token"
  "scopes_supported": [
  "issuer": "",
  "request_uri_parameter_supported": false,
  "userinfo_endpoint": "",
  "authorization_endpoint": "",
  "device_authorization_endpoint": "",
  "http_logout_supported": true,
  "frontchannel_logout_supported": true,
  "end_session_endpoint": "",
  "claims_supported": [
  "kerberos_endpoint": "",
  "tenant_region_scope": "EU",
  "cloud_instance_name": "",
  "cloud_graph_host_name": "",
  "msgraph_host": "",
  "rbac_url": ""

Guys, what am I doing wrong?
I’m pretty new to Jira and Node.js, thus any kind of help would be really helpful.

1 Like

Hi @SergeyKhalin , thanks for trying out forge and external authentication!

The error you are seeing the console is expected and is the error that triggers the frontend to render the button.
What are you seeing in the frontend?

If I had to guess, it might be that you need to run forge deploy.
Unfortunately you need to deploy any changes to providers and modules before running forge tunnel for it to take effect.

Hi @MichaelCooper , thanks for the reply!

What I was trying to do is to create a function running in the background and triggered by a web-trigger (for debugging) or by a scheduled trigger for production. So there’s no frontend implementation. Do I need it anyway? Btw, both triggers work fine and successfully invoke the function.

While debugging I wasn’t using the tunneling, instead, I just retrieved logs with the forge logs command. Now I tried the tunneling and the problem is still the same((

INFO    08:34:55.346  d99582db5ea0c092  azure.hasCredentials() = false
ERROR   08:34:55.349  d99582db5ea0c092  [NEEDS_AUTHENTICATION_ERR: Authentication required] {
  serviceKey: 'azure'

Do you have any ideas what else could be wrong?

Ah, The external authentication API only works under asUser, which requires an authenticated user to invoke the forge function.
Using forge from a scheduled trigger will not have an authenticated user, so will always have no credentials.

I would encourage you to raise a feature request for allowing external authentication with asApp.

Hi @MichaelCooper , thanks for the advice!
I raised the feature request. I’ll share any details when I get the response.

@MichaelCooper have you a working example of using Azure AD with forge? I’m basically trying to get the “asUser” working and getting the same “Authentication required”.

Is there any way to get better error/debug info? forge logs doesnt give any clues.

Also I’m suspect about the retrieveProfile for Azure AD. The forge doco says its mandatory but when running client_credentials you dont get access to a user profile, so not even sure if its used or not. We really need an example like the google one, for Azure AD and also maybe slack.

I’ve logged this with support but they said they dont help development and to log something in community.