Impersonated call with Connect on Forge by oauth_client_id

carlos.martin · July 2, 2024, 12:28pm

Hi everyone,

My name is Carlos. I’m reaching out because we are currently developing an application using “Connect on Forge,” and we’ve encountered a problem.

Most of our screens are built in Forge, but we had to create some screens in Connect due to certain modules not being available in Forge.

The issue we’re facing involves making impersonal calls from our Connect backend when requests originate from Connect screens, as we lack the “oauth_client_id” in the “atlassian_host” table. This is problematic, especially since we perform asynchronous processes that can take more than an hour and involve calculations as a user.

In line with Connect’s rules, we’ve included the “ACT_AS_USER” scope in our atlassian-connect.json. However, since the installation is done through the Forge CLI, the “oauth_client_id” is not stored.

    "scopes": [
        "READ",
        "ADMIN",
        "ACT_AS_USER",
        "ACCESS_EMAIL_ADDRESSES"
    ]

In the Forge descriptor (manifest.yml), we’ve also included the necessary scopes, but it seems these only affect calls originating from Forge.

permissions:
  scopes:
    - read:jira-work
    - storage:app
    - read:connect-jira
    - read:app-system-token
    - read:app-user-token
    - read:jira-user
    - read:permission:jira
    - manage:jira-configuration
    - admin:connect-jira
    - access-email-addresses:connect-jira

Also, we are using the following dependencies in our backend:

<atlassian-connect-spring-boot.version>4.1.1</atlassian-connect-spring-boot.version>

        <!-- ATLASSIAN CONNECT -->
        <dependency>
            <groupId>com.atlassian.connect</groupId>
            <artifactId>atlassian-connect-spring-boot-starter</artifactId>
            <version>${atlassian-connect-spring-boot.version}</version>
        </dependency>
        <dependency>
            <groupId>com.atlassian.connect</groupId>
            <artifactId>atlassian-connect-spring-boot-jpa-starter</artifactId>
            <version>${atlassian-connect-spring-boot.version}</version>
        </dependency>

Does anyone know if it’s possible for the “oauth_client_id” to be stored via the Forge installation, or how to make impersonated calls from Connect starting from an app installation in Forge?

Currently, we are compelled to maintain development in Connect to address certain limitations of Forge.

jhazelwood · July 2, 2024, 11:51pm

Hi @carlos.martin , when installing via the Forge CLI your descriptor is not consulted. Everything needs to go in your manifest, including the connect modules under connectModules and the connect scopes under scopes - you’re missing act-as-user:connect-jira.

The easiest way to get your connect modules and scopes into a manifest is to use our automatic converter tool - see these docs.

Cheers,
James Hazelwood

carlos.martin · July 3, 2024, 9:54am

Hi @jhazelwood,

Thank you very much for your quick response. It worked perfectly for us.

We used the automatic converter tool previously, but perhaps we hadn’t configured the scopes correctly at that time.

Thanks again. Have a great day!