How do I get the ID of a new user installation of my app?

Reading through the 3LO authentication here: https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/, I was confused a bit about if it’s possible to get the cloudid of my application if I distribute it to multiple users. From the documentation, it seems that requests to https://api.atlassian.com/oauth/token/accessible-resources will always return a list of every single resource my app has access to. If that’s true, how do I differentiate the user I’m currently taking through the auth process with my app? Do I just have to manage the current list of installation ids, and then find the newly added id by seeing which one isn’t in that list?

Any help would be greatly appreciated!

2 Likes

Welcome to the Atlassian developer community @DanielSoffiantini

To clarify, the authorization code flow is granting your app access to an intersection of 2 security contexts:

  • a user, who is being prompted to authorize your app
  • a site, that the user must choose during authorization of your app

A site is “an instance” of Jira. Sometimes the term is known in broader SaaS terms as “a tenant”.

If you want to retrieve the public profile of the current user (for which you have a token), then you should make sure your app requests the read:me scope, and request GET https://api.atlassian.com/me. This tells you “who” your app knows, but not “where”.

Now to know which Jira sites and associated cloud IDs the token will allow your app to access, then you need to ask https://api.atlassian.com/oauth/token/accessible-resources. For that endpoint, the idea of “resources” are not the users (each authorized token only grants your app access to 1 user), they are the sites because each user may be part of many sites.

1 Like

Thank you so much for your reply @ibuchanan, this makes a lot of sense. So what your response also implies is that access tokens returned by the call to https://auth.atlassian.com/oauth/token with the code from the auth flow are scoped to the user and not the app. Is that correct?

Also, just to be extra clear, the steps to get the user/installations combo would be:

  1. Send user to auth url
  2. Grab the code from the callback and reach out to https://auth.atlassian.com/oauth/token
  3. Take the JWT response and call https://api.atlassian.com/me and grab the account_id
  4. Call to https://api.atlassian.com/oauth/token/accessible-resources and check what installations I can access with that token
1 Like

Yes. And I confirm your steps make sense when Jira and/or Confluence scopes are being requested.

Small caveat for the sake of good error handling, there are circumstances when accessible-resources can return an empty array []. This happens when your client asks for scopes that aren’t associated to a site. As specific example, read:me is not site-specific. This can be confusing because the end-user authorization flow doesn’t change: it makes the user select a specific site as if it were authorizing to that site.

1 Like