Forge offline user impersonation token is not working

Forge Adopting Forge from Connect
1

Hello,

I’m trying to get the offline impersonation to work properly. (https://developer.atlassian.com/platform/forge/remote/calling-product-apis/#offline-user-impersonation) I’m able to get a valid impersonated token from the GraphQL API but when I use it to create a worklog on a valid Jira issue is get the following error:
{‘errorMessages’: [‘Issue does not exist or you do not have permission to see it.’], ‘errors’: {}}

Forge manifest info on permissons:
permissions:
scopes:
read:app-system-token: {}
read:jira-work:
allowImpersonation: true
write:jira-work:
allowImpersonation: true

I then use invokeRemote to call the backend:

I decode the FIT and I grab the cloudId: https://developer.atlassian.com/platform/forge/remote/essentials/#the-forge-invocation-token--fit-

The system token is coming from the x-forge-oauth-system header.

The app is installed on the development space, I’m trying to impersonate myself as a test as the only contributor of the app.

context_id = f"ari:cloud:jira::site/{decoded_fit['context']['cloudId']}"

url = "https://api.atlassian.com/graphql"
headers = {
	"Accept": "application/json",
	"Content-Type": "application/json",
	"Authorization": f"Bearer {system_token}"
}

query = """
		mutation forge_remote_offlineUserAuthToken($input: OfflineUserAuthTokenInput!) {
		  offlineUserAuthToken(input: $input) {
			success
			errors {
			  message
			}
			authToken {
			  token
			  ttl
			}
		  }
		}
    """

payload = {
	"query": query,
	"variables": {
		"input": {
			"contextIds": [context_id],
			"userId": user_account_id
		}
	}
}

response = requests.post(url, headers=headers, json=payload)

I then try to create a worklog using the provided token directly as bearer token:


worklog_data = {
	"comment": comment, 
	"timeSpentSeconds": time_spent_seconds,
	"started": started 
}

headers = {
	"Authorization": f"Bearer {access_token_from_graphql}",
	"Content-Type": "application/json",
}

return requests.post(
	f"{BASE_URL}/rest/api/latest/issue/{jira_issue_key}/worklog",
	headers=headers,
	data=json.dumps(worklog_data),
)

That endpoint gives me:

{‘errorMessages’: [‘Issue does not exist or you do not have permission to see it.’], ‘errors’: {}}

Any ideas what I’m doing wrong here?

Thanks!

2

Hi @YvovonBerg, thanks for giving the feature a try.

I see you’re facing an authorisation error. This might be caused by:

  • the app not being updated in the right workspace, with a wrong set of scopes registered
  • the impersonated account not having access to the page, or the value in {jira_issue_key} is incorrect.

Can you please check on these points? Also, would it be possible to share the traceIds for both the token generation call as well as the product call when we try to create a worklog.

3

Thanks for your reply.

  • I re-ran forge install --upgrade → same result. How do I confirm the scopes, I have read:jira-work and write:jira-work both with allowImpersonation turned on.
  • This is the trace ID from the graphql endpoint: ‘extensions’: {‘gateway’: {‘request_id’: ‘c9aee1dc-bded-4ba6-b7a9-95a4a54ed2ef’, ‘trace_id’: ‘c9aee1dcbded4ba6b7a995a4a54ed2ef’, ‘crossRegion’: False, ‘edgeCrossRegion’: False}}
4

Hi @YvovonBerg thanks for sharing the trace ID. I could identify the app and the installation context. The permissions look good. However, I couldn’t find the worklog-related API requests in the site logs. I wonder how you get the Base Url. Are you getting it from the FIT?

Thanks!

5

Ah thanks! That was indeed the problem. https://developer.atlassian.com/platform/forge/remote/calling-product-apis/#offline-user-impersonation, you could consider adding some extra info to the docs of that feature.