Issue Accessing User Emails with ACCESS_EMAIL_ADDRESSES in Jira Cloud App - Atlassian Connect

Hi community,

I am working on an Atlassian Connect app for Jira Cloud. The app needs to access user email addresses, so I followed the process outlined by the support team:

1. I was informed that, as this is an internal-use app, I only needed to:

• Use the app ID they provided: "internal-*************".
• Add the ACCESS_EMAIL_ADDRESSES scope in my atlassian-connect.json.
  Here is the relevant part of my atlassian-connect.json:

{
  "name": "Jira TM",
  "description": "Jira TM",
  "key": "internal-*************",
  ...
  "scopes": [
    "READ",
    "ADMIN",
    "ACT_AS_USER",
    "ACCESS_EMAIL_ADDRESSES"
  ],
  ...
}

To call the bulk email API, I implemented the following logic:

1. Construct the API URL:

String apiUrl = tenant.getHost() + "/rest/api/3/user/email/bulk?accountId=" + accountIdQuery;
HttpRequest request = jwtService.getRequestWithJwt(tenant, apiUrl, "GET", false).build();
HttpResponse<String> response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofString());

2. Method to build the JWT request:

public HttpRequest.Builder getRequestWithJwt(Tenant tenant, String api, String method, boolean specialAPI) 
        throws UnsupportedEncodingException, NoSuchAlgorithmException, URISyntaxException {
    String baseUrl = tenant.getHost();
    String contextPath = "/";
    String jwt = createJwt(method, api, contextPath, tenant.getSharedSecret(), new HashMap<>(), specialAPI);
    return HttpRequest.newBuilder()
            .uri(new URI(baseUrl + api))
            .header("Content-Type", "application/json")
            .header("Authorization", "JWT " + jwt);
}

3. JWT creation logic:

private String createJwt(String method, String apiPath, String contextPath, String sharedKey, 
                         HashMap<String, String[]> queryParameters, boolean specialAPI) 
        throws UnsupportedEncodingException, NoSuchAlgorithmException {
    long issuedAt = System.currentTimeMillis() / 1000L;
    long expiresAt = issuedAt + 180L;
    JwtJsonBuilder jwtBuilder = new JsonSmartJwtJsonBuilder()
            .issuedAt(issuedAt)
            .expirationTime(expiresAt)
            .issuer("internal-*************");
    CanonicalHttpUriRequest canonical = new CanonicalHttpUriRequest(method, apiPath, contextPath, queryParameters);
    JwtClaimsBuilder.appendHttpRequestClaims(jwtBuilder, canonical);
    JwtWriterFactory jwtWriterFactory = new NimbusJwtWriterFactory();
    return jwtWriterFactory.macSigningWriter(SigningAlgorithm.HS256, sharedKey).jsonToJwt(jwtBuilder.build());
}

Despite following all steps, I consistently receive the following error:

Method threw 'java.net.ConnectException' exception.

Steps I’ve already tried:

• Verified the ACCESS_EMAIL_ADDRESSES scope in the manifest.
• Reinstalled the app multiple times.
• Cleared the database.

Questions:

1. Am I correctly building the JWT for this specific API (/user/email/bulk)? Is there anything I am missing in the claims or signing process?
2. Could there be an issue with the app ID or tenant URL formatting in the API calls?
3. Is this a potential issue with app permissions or the developer mode setup?
4. Did I miss to set up something in my environment?

Any guidance would be greatly appreciated!

Hello @DarioSRD

For Jira Cloud, Connects apps are not allowed to use the Get User Email Bulk endpoint unless they have been specifically approved by Atlassian, as stated in the endpoint’s documentation:

For Connect apps, this API is only available to apps approved by Atlassian, according to these guidelines.

I think this applies to internal apps as well as published public apps.

Thank you, @sunnyape, for your answer. However, this App Key I’m using was suggested by Atlassian itself after I created a ticket asking to put my app into the whitelist.

Sorry. When you said ‘the support team’ I just assumed you meant your company’s internal support team, not Atlassian themselves.