Hi Atlassian team and community,
I’m currently building a Forge app for Jira Cloud that displays a changelog table of issues between two versions of a project. The app is working well in both Confluence and the Jira agent view, using the api.asApp().requestJira(...) approach to fetch issue, version, and component data.
Now, I’m trying to integrate this app into the Jira Service Management (JSM) customer portal, so that customers (non-licensed users) can access the same changelog. The problem is that Customers don’t have permission to view issues from the internal project, so the Forge app returns empty data for them.
I’d like the app to always fetch data using a specific Jira user’s permissions, regardless of who is viewing it – even anonymous customers. Basically, all data queries should run as a fixed user or service account, not as the current user or app.
My questions:
- Is it possible to authenticate the Forge app using OAuth 2.0 to always act on behalf of a specific Jira user?
- Can Forge apps safely store and use a user-based access token or refresh token for that purpose?
- Or is there another pattern supported by Atlassian to make a Forge app always act as a single user?
Any guidance or best practice would be really appreciated, especially for making this work securely in a JSM customer portal context. Thank you!