How to use Forge offline user impersonation from Remote

Forge Adopting Forge from Connect
, ,
1

Hi. I am following the offline-user-impersonation guide and trying to get Jira user auth token from Forge Remote app. As far as I understand from Overview of the Atlassian platform GraphQL API I can use GraphQL Gateway which is located at https://{my-subdomain}.atlassian.net/gateway/api/graphql.

The query looks like this:

mutation forge_remote_offlineUserAuthToken($input: OfflineUserAuthTokenInput!) {
  offlineUserAuthToken(input: $input) {
    success
    errors {
      message
    }
    authToken {
      token
      ttl
    }
  }
}

Variables:

{
  "input": {
    "contextIds": [
      "ari:cloud:jira::site/{cloud ID}",
      "ari:cloud:ecosystem::installation/{installation ID}"
    ],
    "userId": "012345678901234567890123"
  }
}

Headers:

{
  "Authorization": "Bearer abc..."
}

I get the token from the “x-forge-oauth-system” header of the installation event (avi:forge:installed:app).

In response I get an error:

{
  "data": {
    "offlineUserAuthToken": {
      "success": false,
      "errors": [
        {
          "message": "Could not load permissions for app user in the provided contextIds of [ari:cloud:jira::site/{cloud ID}, ari:cloud:ecosystem::installation/{installation ID}]"
        }
      ],
      "authToken": null
    }
  },
  "extensions": {
    "gateway": {
      "request_id": "01234567-89ab-cdef-0123-456789abcdef",
      "trace_id": "0123456789abcdef0123456789abcdef",
      "crossRegion": false,
      "edgeCrossRegion": false
    }
  }
}

Application scopes include both act-as-user:connect-jira and read:app-user-token.

What am I doing wrong?

2

Hi @SemyonGashchenko, thanks for giving the feature a try.

Could you change context ID to this format:
"contextIds": ["ari:cloud:jira:{cloud ID}:workspace/{workspace ID}"]

if you don’t have the Workspace ID, please try passing Cloud ID instead, e.g.

"contextIds": ["ari:cloud:jira:{cloud ID}:workspace/{cloud ID}"]

Cloud ID in Connect lifecycle HTTP request payload
3

Hi @Ilnar. Thanks for your help. Still doesn’t work:

{
  "data": {
    "offlineUserAuthToken": {
      "success": false,
      "errors": [
        {
          "message": "Could not load permissions for app user in the provided contextIds of [ari:cloud:jira:{cloud ID}:workspace/{cloud ID}]"
        }
      ],
      "authToken": null
    }
  },
  "extensions": {
    "gateway": {
      "request_id": "2801e3c6-36aa-4986-aef1-df211c5fa3db",
      "trace_id": "2801e3c636aa4986aef1df211c5fa3db",
      "crossRegion": false,
      "edgeCrossRegion": false
    }
  }
}
4

Using the trace_id I checked the app and the site it is installed on. I don’t see any impersonation scopes set for the app. Could you check the following:

  1. The app manifest has scopes allowed for impersonation
  2. The app with the new impersonation scopes has been deployed
  3. The app is updated (forge install --upgrade) on the site (major version update should not happen if no new scopes were added, but it would be great to double-check).

Thanks!

5

It worked. Thanks, Ilnar! It would be nice to have an explanation of what contextIds is in the impersonation documentation.

1 Like
6

Hi @Ilnar. Can you please help me with rate limiting as well.

AGG supports cost based per-user rate limiting for Graphql query and mutation operation

What exactly does the documentation mean by “user”?

7

Hey @SemyonGashchenko,

Sure, a user in this context is defined by the OAuth Client ID, which is unique for each combination of an app and an environment.

E.g., if you have the same app installed on a site in Dev and Prod environments and both apps request impersonation tokens, each app can mint up to 1000 tokens per minute.

Please bear in mind that the usage of the tokens with the Product APIs is subject to a separate set of rate limits.

Thanks!

1 Like
8

This topic was automatically closed after 30 days. New replies are no longer allowed.