I want to call the Jira bulk permission API (/rest/api/3/permissions/check) from a Forge Remote using the app system token to ensure the user associated with the incoming request has the required permission to make the request.
Unfortunately, I keep getting 401 with the message:
Only Jira administrators and Connect apps can perform this operation
I have verified that the app system token is valid. Looking at the API docs, it seems there is some special auth on this endpoint for Connect apps.
I use the My Permissions API to verify that the incoming user has specific permissions. It is similar to the bulk check API in that you need to give the list of permissions you want to check and it will return a similar response as well.
The API works for Forge and Connect apps. My app is currently connect-on-forge, but I use this API in both a Connect and Forge client implementation. You just need to make sure that you use the correct API base url, this differs between Connect and Forge. For Connect this is the base url of the cloud instance, for Forge this is always api.atlassian.com with cloud instance id located in the path for some apps.
Thanks for the suggestion, Mark. Is my assumption correct that, in your case, you have auth.appUserToken.enabled set to true in your manifest and that you call this API with user impersonation?
We are only using the app system token, which does not allow for user impersonation. I believe calling /rest/api/3/mypermissions with the app system token would check permissions against the app user account.
This morning, I added the granular scope read:permission:jira to my app manifest, deployed, and upgraded my installation. After that, it worked. Then I removed the scope again, redeployed, and upgraded the installation, and it now works with just the same code as last night.
I am confused.
It would be nice if someone from Atlassian could confirm that Forge Remote apps can indeed call the Jira bulk permission API (/rest/api/3/permissions/check) using an app system token - just like Connect apps can and update the Jira Cloud REST API docs to clarify this exception.
Yeah, I do have auth.appUserToken.enabled set to true in my manifest, so I can do online impersonation.
Their may be a bit a delay between new deployments of permissions and those working for your tenant. I have seen this as well were the thing added or removed took a bit of time.